Help: ksu questions
Russ Allbery
rra at stanford.edu
Sat Jan 8 01:11:36 EST 2011
Lee Eric <openlinuxsource at gmail.com> writes:
> Thanks Russ, that's very clear. BTW, I think client users shall use
> ksu under local machine, not remote machines. Because I notice that
> ksu will prompt me that it's unsafe if I type Kerberos password under
> insecure connection.
Yeah, ideally in Kerberos you never enter your password into any remote
system, but always authenticate locally and then use Kerberos to
authenticate to remote systems. We're moving in that way (by allowing
root logins only via GSSAPI), but the tradeoff is that you have to allow
remote direct root logins, which makes some a bit uncomfortable.
--
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the Kerberos
mailing list