Using ksu/sudo with Kerberos
Brian Candler
B.Candler at pobox.com
Mon Oct 4 11:45:04 EDT 2010
I am wondering, what are people using instead of sudo in an Kerberized
environment?
So far I can see the following options:
(1) create separate principals for each user who should have root access,
e.g.
candlerb at FOO.EXAMPLE.COM
candlerb/admin at FOO.EXAMPLE.COM
Then map */admin to the root account using auth_to_local, and people
can use ksu to switch.
(I'm not sure I like the idea of burying "/admin" inside a principal's name;
that seems to be mixing authentication and authorization. And that would
apply a single authorization policy across all systems)
(2) Use sudo with NOPASSWD for users who are members of a particular group
(3) Use sudo with pam_krb5, so user has to enter their password again.
Kerberos is then just acting as a password oracle (ick).
Are there any others I should be considering?
Thanks,
Brian.
More information about the Kerberos
mailing list