Sudo w/Ticket Support

Christopher D. Clausen cclausen at
Thu May 7 17:35:58 EDT 2009

petesea at wrote:
> Main reason for not setting NOPASSWD is because I don't have control
> over the sudoers file on most of the systems I have access to.  And
> the SA's are very reluctant to use "NOPASSWD".

Do you know about the ksu command?

Or using a ~root/.k5login and ssh -o "GssapiAuthentication yes" 
root@`hostname` ?

> I believe they just want that extra layer of protection in case a
> workstation is left unattended.

People who leave workstations unattended should not have sudo access. 
Also, if unattended and the tickets are still valid, someone can still 
use them.

> I do see what you mean though.  From a security standpoint, if sudo
> was capable of using an existing TGT, that doesn't seem like it would
> be too much different then using NOPASSWD in the sudoers file.

Yes, exactly.  Except it will stop working once the tickets expire, so 
there is some trivial level of safety.


More information about the Kerberos mailing list