Using ksu/sudo with Kerberos
Russ Allbery
rra at stanford.edu
Mon Oct 4 16:25:37 EDT 2010
Brian Candler <B.Candler at pobox.com> writes:
> (1) create separate principals for each user who should have root access,
> e.g.
> candlerb at FOO.EXAMPLE.COM
> candlerb/admin at FOO.EXAMPLE.COM
> Then map */admin to the root account using auth_to_local, and people
> can use ksu to switch.
We do this, except we use .k5login with a specific list of principals that
should have access to root. I wouldn't use auth_to_local for...
> (I'm not sure I like the idea of burying "/admin" inside a principal's name;
> that seems to be mixing authentication and authorization. And that would
> apply a single authorization policy across all systems)
...exactly that reason.
--
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the Kerberos
mailing list