Using ksu/sudo with Kerberos
Brian Candler
B.Candler at pobox.com
Tue Oct 5 04:03:51 EDT 2010
On Mon, Oct 04, 2010 at 03:47:00PM -0500, Christopher D. Clausen wrote:
> Note that depending upon your SSH setup, adding user principals to
> root's .k5login (or auth_to_local rules) might allow one to login
> directly as root on the system via SSH.
ISTM that leaves a bit of an administrative headache in updating .k5login
files on all the machines. I don't suppose there's a way to get kerberos or
openssh to query LDAP for this instead? I see the question asked in 2007
but only some private patches mentioned:
http://mailman.mit.edu/pipermail/kerberos/2007-October/012353.html
At worst, I guess I could write a script which does an LDAP query every hour
and writes the results to root's .k5login
sudo's testing for group membership seems a lot more attractive in that
regard.
Regards,
Brian.
More information about the Kerberos
mailing list