Query regarding ksu.

Use Nas usenas at gmail.com
Wed Sep 1 14:19:10 EDT 2010


Thanks Russ.

However, i still have a doubt regarding the statement mentioned below:

However, there is a believe that the we should be able to ksu to all the any
non-root user ( when logged in as root ) similar to su command. but i think
it is against the design of kerberos , as we always need the password to
decrypt the TGT sent by KDC.

Is the above statement correct ?

Thanks
-S

On Wed, Sep 1, 2010 at 10:55 PM, Russ Allbery <rra at stanford.edu> wrote:

> Use Nas <usenas at gmail.com> writes:
>
> > =======
> > Situation :
> > =======
>
> > Source User: root
> > Target User: non_root_user
>
> > There are no tickets in cache and currently we are logged in as "root"
> user.
> > #ksu non_root_user
>
> > Whats should be the expected behavior of the above command ?
>
> > I believe that if the source user is "root" and target is "non root" &
> > there is no ticket in the cache, then the it should prompt for the
> > password for "non root" user.  If there is ticket in the cache, then it
> > doesn't prompt for the password and creates a valid context and ticket.
>
> That sounds right to me, assuming that you mean a ticket for the target
> user (not just any ticket).
>
> > However, there is a believe that the we should be able to ksu to all the
> > any non-root user ( when logged in as root ) similar to su command. but
>
> If one wants su, I think one should just use su.  "root" has no special
> meaning for Kerberos, and the above behavior seems more useful to me for
> ksu.
>
> --
> Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>
>



More information about the Kerberos mailing list