[32766] in Kerberos
Re: Using ksu/sudo with Kerberos
daemon@ATHENA.MIT.EDU (Christopher D. Clausen)
Mon Oct 4 16:47:12 2010
Message-ID: <08FD8113AE1F4BB4AE81A00E28DCFEE6@CDCHOME>
From: "Christopher D. Clausen" <cclausen@acm.org>
To: <kerberos@mit.edu>
Date: Mon, 4 Oct 2010 15:47:00 -0500
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Russ Allbery <rra@stanford.edu> wrote:
> Brian Candler <B.Candler@pobox.com> writes:
>
>> (1) create separate principals for each user who should have root access,
>> e.g.
>> candlerb@FOO.EXAMPLE.COM
>> candlerb/admin@FOO.EXAMPLE.COM
>
>> Then map */admin to the root account using auth_to_local, and people
>> can use ksu to switch.
>
> We do this, except we use .k5login with a specific list of principals that
> should have access to root. I wouldn't use auth_to_local for...
Note that depending upon your SSH setup, adding user principals to root's
.k5login (or auth_to_local rules) might allow one to login directly as root
on the system via SSH. In general, that is exactly what I prefer to do:
ssh root@machine gets me in as root but logs that cclausen (or
cclausen/admin) made the connection. Of course it doesn't log every
individual action, but IIRC neither does ksu.
I have PermitRootLogin set to without-password in sshd_config so that
Kerberos is allowed but not password based auth for the root user.
<<CDC
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
