Using ksu/sudo with Kerberos

Russ Allbery rra at stanford.edu
Tue Oct 5 13:27:29 EDT 2010


Guillaume Rousse <Guillaume.Rousse at inria.fr> writes:
> Le 04/10/2010 23:56, Russ Allbery a écrit :

>> There unfortunately isn't any way that I know of to allow GSSAPI and
>> public key authentication via ssh for regular users but require GSSAPI
>> alone for root authentication, so we usually just turn public key off
>> entirely.  (I suppose you could enforce an empty authorized_keys file, but
>> that requires some sort of configuration management infrastructure running
>> on each system to ensure that.)

> What about this (untested) ?
> Match User root
>     PubkeyAuthentication no

Ah, yes, the Match stuff is relatively new and will probably now do the
right thing.  Thank you!

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>




More information about the Kerberos mailing list