Using ksu/sudo with Kerberos

Brian Candler B.Candler at pobox.com
Tue Oct 5 04:03:51 EDT 2010


On Mon, Oct 04, 2010 at 03:47:00PM -0500, Christopher D. Clausen wrote:
> Note that depending upon your SSH setup, adding user principals to
> root's .k5login (or auth_to_local rules) might allow one to login
> directly as root on the system via SSH.

ISTM that leaves a bit of an administrative headache in updating .k5login
files on all the machines.  I don't suppose there's a way to get kerberos or
openssh to query LDAP for this instead?  I see the question asked in 2007
but only some private patches mentioned:
http://mailman.mit.edu/pipermail/kerberos/2007-October/012353.html

At worst, I guess I could write a script which does an LDAP query every hour
and writes the results to root's .k5login

sudo's testing for group membership seems a lot more attractive in that
regard.

Regards,

Brian.



More information about the Kerberos mailing list