Using ksu/sudo with Kerberos

Abe Singer abe at ligo.caltech.edu
Mon Oct 4 18:06:53 EDT 2010 

FWIW,

In my previous job, we modified sudo (relatively simple patch, I'll
have to dig it up) to use kerberos authentication with a principal
of the format <user>/sudo@<REALM>. (sudo supports kerberos auth, but
using the user's login principal, which AFAIC is a horrible mistake
security-wise).

I'm old school -- where allowing direct root login is verboten,
allowing direct login to root just makes me twitch.  Having logging
of who logged in helps, but I prefer requiring users to login as themselves
and the su/sudo to get root access.  I can't make the strongest argument for
it, but I like having tohe user have to have an account on the target host
*and* have a separate credential for privilege access, *and* have permission
in sudoers for that host.  If nothing else, maybe it reduces the risk of
accidentally allowing open root login to the machine, or accidentally
giving someone privileged access to a host they're not supposed to have
it on.


-- Abe

On Mon, Oct 04, 2010 at 03:47:00PM -0500, Christopher D. Clausen wrote:
> 
> Russ Allbery <rra at stanford.edu> wrote:
> > Brian Candler <B.Candler at pobox.com> writes:
> >
> >> (1) create separate principals for each user who should have root access,
> >> e.g.
> >>       candlerb at FOO.EXAMPLE.COM
> >>       candlerb/admin at FOO.EXAMPLE.COM
> >
> >> Then map */admin to the root account using auth_to_local, and people
> >> can use ksu to switch.
> >
> > We do this, except we use .k5login with a specific list of principals that
> > should have access to root.  I wouldn't use auth_to_local for...
> 
> Note that depending upon your SSH setup, adding user principals to root's 
> .k5login (or auth_to_local rules) might allow one to login directly as root 
> on the system via SSH.  In general, that is exactly what I prefer to do:
> 
> ssh root at machine gets me in as root but logs that cclausen (or 
> cclausen/admin) made the connection.  Of course it doesn't log every 
> individual action, but IIRC neither does ksu.
> 
> I have PermitRootLogin set to without-password in sshd_config so that 
> Kerberos is allowed but not password based auth for the root user.
> 
> <<CDC
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos

More information about the Kerberos mailing list