[32775] in Kerberos
Re: Using ksu/sudo with Kerberos
daemon@ATHENA.MIT.EDU (Russ Allbery)
Tue Oct 5 13:27:43 2010
From: Russ Allbery <rra@stanford.edu>
To: kerberos@mit.edu
In-Reply-To: <4CAADCA9.1030109@inria.fr> (Guillaume Rousse's message of "Tue,
05 Oct 2010 10:07:05 +0200")
Date: Tue, 05 Oct 2010 10:27:29 -0700
Message-ID: <87r5g41rem.fsf@windlord.stanford.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
Guillaume Rousse <Guillaume.Rousse@inria.fr> writes:> Le 04/10/2010 23:56, Russ Allbery a écrit :
>> There unfortunately isn't any way that I know of to allow GSSAPI and>> public key authentication via ssh for regular users but require GSSAPI>> alone for root authentication, so we usually just turn public key off>> entirely. (I suppose you could enforce an empty authorized_keys file, but>> that requires some sort of configuration management infrastructure running>> on each system to ensure that.)
> What about this (untested) ?> Match User root> PubkeyAuthentication no
Ah, yes, the Match stuff is relatively new and will probably now do theright thing. Thank you!
-- Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>
________________________________________________Kerberos mailing list Kerberos@mit.eduhttps://mailman.mit.edu/mailman/listinfo/kerberos
