[33371] in Kerberos
Re: sudo with kerberos
daemon@ATHENA.MIT.EDU (Frank Cusack)
Thu May 5 19:48:28 2011
MIME-Version: 1.0
In-Reply-To: <1DFE27698BBA1B49B6A8C6B7F7E37253C48DC7C140@019D-NAMSG-01.019D.MGD.MSFT.NET>
Date: Thu, 5 May 2011 16:48:23 -0700
Message-ID: <BANLkTikxjcrdhqXKmPnVJS45kyyZe6qxew@mail.gmail.com>
From: Frank Cusack <frank+krb@linetwo.net>
To: Ubaid Rahman <ubaid.u.rahman@gsk.com>
Cc: "kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
That's terrible! You've enabled anyone to sudo without having to know the
real password. The whole point of sudo requiring a password is to make sure
that the actual user is present (e.g. didn't walk away from an open
terminal). By disabling tgt_verify, anyone can spoof a KDC response that
will be seen as valid.
On Tue, May 3, 2011 at 12:00 PM, Ubaid Rahman <ubaid.u.rahman@gsk.com>wrote:
> Got it to work!
>
> Had to disable tgt_verify option in the methods.cfg file to let sudo, su,
> telnet and ftp work!!!
>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
