Sudo w/Ticket Support
Christopher D. Clausen
cclausen at acm.org
Thu May 7 17:35:58 EDT 2009
petesea at bigfoot.com wrote:
> Main reason for not setting NOPASSWD is because I don't have control
> over the sudoers file on most of the systems I have access to. And
> the SA's are very reluctant to use "NOPASSWD".
Do you know about the ksu command?
Or using a ~root/.k5login and ssh -o "GssapiAuthentication yes"
root@`hostname` ?
> I believe they just want that extra layer of protection in case a
> workstation is left unattended.
People who leave workstations unattended should not have sudo access.
Also, if unattended and the tickets are still valid, someone can still
use them.
> I do see what you mean though. From a security standpoint, if sudo
> was capable of using an existing TGT, that doesn't seem like it would
> be too much different then using NOPASSWD in the sudoers file.
Yes, exactly. Except it will stop working once the tickets expire, so
there is some trivial level of safety.
<<CDC
More information about the Kerberos
mailing list