[32771] in Kerberos
Re: Using ksu/sudo with Kerberos
daemon@ATHENA.MIT.EDU (Russ Allbery)
Mon Oct 4 17:50:18 2010
From: Russ Allbery <rra@stanford.edu>
To: Ken Dreyer <ktdreyer@ktdreyer.com>
In-Reply-To: <AANLkTikumQ4en0cEjmUi5sGYzr70euH_Ui9FDg4ki1=v@mail.gmail.com>
(Ken Dreyer's message of "Mon, 4 Oct 2010 15:47:35 -0600")
Date: Mon, 04 Oct 2010 14:50:10 -0700
Message-ID: <8739sl8w6l.fsf@windlord.stanford.edu>
MIME-Version: 1.0
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Ken Dreyer <ktdreyer@ktdreyer.com> writes:
> On Mon, Oct 4, 2010 at 3:38 PM, Russ Allbery <rra@stanford.edu> wrote:
>> Yup. You may want to also disable public key authentication.
> We're enabling kerberos for several services at my organization, and
> we were just having this same discussion. Can you elaborate on why you
> would disable pubkey?
It's totally up to you, of course, and we do leave it enabled on some
systems because in some cases it's easier than using GSSAPI authentication
with ssh. But once you have Kerberos, public keys constitute a second
parallel authentication system which isn't tied in with Kerberos, which is
a potential vulnerability. You may disable a Kerberos account but not
forget to remove their authorized_keys entries, for example. ssh keys are
also difficult to centrally manage, which is usually one of the whole
points of a Kerberos infrastructure.
There unfortunately isn't any way that I know of to allow GSSAPI and
public key authentication via ssh for regular users but require GSSAPI
alone for root authentication, so we usually just turn public key off
entirely. (I suppose you could enforce an empty authorized_keys file, but
that requires some sort of configuration management infrastructure running
on each system to ensure that.)
--
Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
