Kerberos Ldap Integration

Eric Hill eric at ijack.net
Tue Jun 10 10:42:03 EDT 2008


A root user on a system can become any user ID on that system.  That's just the way unix security works.

What you are trying to prevent is a root user on system A accessing user data on system B without knowing the users' credentials.
This is precisely what Kerberos prevents.  System B will not accept inbound sessions without a Kerberos ticket, and it is impossible
for a root user on system A to gain a TGT for the user without knowing the users' credentials.

Eric

> -----Original Message-----
> From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On Behalf Of Rodrigo Castro
> Sent: Tuesday, June 10, 2008 9:07 AM
> To: Daniel Savard
> Cc: kerberos at mit.edu
> Subject: Re: Kerberos Ldap Integration
> 
> I guess I haven't made myself clear. In my work environment we have many
> labs. Some of them have root priveleges to administrate their own lab. So
> with their root account they can become any ldapuser. This is undesirable.
> Is there any kerberos/ldap configuration to disable this?





More information about the Kerberos mailing list