[32773] in Kerberos
Re: Using ksu/sudo with Kerberos
daemon@ATHENA.MIT.EDU (Brian Candler)
Tue Oct 5 04:04:01 2010
Date: Tue, 5 Oct 2010 09:03:51 +0100
From: Brian Candler <B.Candler@pobox.com>
To: "Christopher D. Clausen" <cclausen@acm.org>
Message-ID: <20101005080351.GA2672@talktalkplc.com>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <08FD8113AE1F4BB4AE81A00E28DCFEE6@CDCHOME>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Mon, Oct 04, 2010 at 03:47:00PM -0500, Christopher D. Clausen wrote:
> Note that depending upon your SSH setup, adding user principals to
> root's .k5login (or auth_to_local rules) might allow one to login
> directly as root on the system via SSH.
ISTM that leaves a bit of an administrative headache in updating .k5login
files on all the machines. I don't suppose there's a way to get kerberos or
openssh to query LDAP for this instead? I see the question asked in 2007
but only some private patches mentioned:
http://mailman.mit.edu/pipermail/kerberos/2007-October/012353.html
At worst, I guess I could write a script which does an LDAP query every hour
and writes the results to root's .k5login
sudo's testing for group membership seems a lot more attractive in that
regard.
Regards,
Brian.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
