Using ksu/sudo with Kerberos
Russ Allbery
rra at stanford.edu
Mon Oct 4 17:50:10 EDT 2010
Ken Dreyer <ktdreyer at ktdreyer.com> writes:
> On Mon, Oct 4, 2010 at 3:38 PM, Russ Allbery <rra at stanford.edu> wrote:
>> Yup. You may want to also disable public key authentication.
> We're enabling kerberos for several services at my organization, and
> we were just having this same discussion. Can you elaborate on why you
> would disable pubkey?
It's totally up to you, of course, and we do leave it enabled on some
systems because in some cases it's easier than using GSSAPI authentication
with ssh. But once you have Kerberos, public keys constitute a second
parallel authentication system which isn't tied in with Kerberos, which is
a potential vulnerability. You may disable a Kerberos account but not
forget to remove their authorized_keys entries, for example. ssh keys are
also difficult to centrally manage, which is usually one of the whole
points of a Kerberos infrastructure.
There unfortunately isn't any way that I know of to allow GSSAPI and
public key authentication via ssh for regular users but require GSSAPI
alone for root authentication, so we usually just turn public key off
entirely. (I suppose you could enforce an empty authorized_keys file, but
that requires some sort of configuration management infrastructure running
on each system to ensure that.)
--
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the Kerberos
mailing list