Sudo w/Ticket Support
petesea at bigfoot.com
Thu May 7 17:15:11 EDT 2009
On Thu, 7 May 2009, miguel.sanders at arcelormittal.com wrote:
> Afaik that's not available yet (however, you could integrate it yourself).
> But if you already obtained a TGT, why bother authenticating again?
Because sudo prompts me. That's what I'm trying to avoid. I'd like sudo
to look at my ticket cache, see that I already have a valid TGT and give
me access without being prompted for a password.
>> But not use just use NOPASSWD.
> Last sentence should have been : "Why not use NOPASSWD?"
Main reason for not setting NOPASSWD is because I don't have control over
the sudoers file on most of the systems I have access to. And the SA's
are very reluctant to use "NOPASSWD".
I believe they just want that extra layer of protection in case a
workstation is left unattended.
I do see what you mean though. From a security standpoint, if sudo was
capable of using an existing TGT, that doesn't seem like it would be too
much different then using NOPASSWD in the sudoers file.
More information about the Kerberos