Using ksu/sudo with Kerberos
Christopher D. Clausen
cclausen at acm.org
Mon Oct 4 16:47:00 EDT 2010
Russ Allbery <rra at stanford.edu> wrote:
> Brian Candler <B.Candler at pobox.com> writes:
>
>> (1) create separate principals for each user who should have root access,
>> e.g.
>> candlerb at FOO.EXAMPLE.COM
>> candlerb/admin at FOO.EXAMPLE.COM
>
>> Then map */admin to the root account using auth_to_local, and people
>> can use ksu to switch.
>
> We do this, except we use .k5login with a specific list of principals that
> should have access to root. I wouldn't use auth_to_local for...
Note that depending upon your SSH setup, adding user principals to root's
.k5login (or auth_to_local rules) might allow one to login directly as root
on the system via SSH. In general, that is exactly what I prefer to do:
ssh root at machine gets me in as root but logs that cclausen (or
cclausen/admin) made the connection. Of course it doesn't log every
individual action, but IIRC neither does ksu.
I have PermitRootLogin set to without-password in sshd_config so that
Kerberos is allowed but not password based auth for the root user.
<<CDC
More information about the Kerberos
mailing list