Help: ksu questions

Russ Allbery rra at
Sat Jan 8 01:11:36 EST 2011

Lee Eric <openlinuxsource at> writes:

> Thanks Russ, that's very clear. BTW, I think client users shall use
> ksu under local machine, not remote machines. Because I notice that
> ksu will prompt me that it's unsafe if I type Kerberos password under
> insecure connection.

Yeah, ideally in Kerberos you never enter your password into any remote
system, but always authenticate locally and then use Kerberos to
authenticate to remote systems.  We're moving in that way (by allowing
root logins only via GSSAPI), but the tradeoff is that you have to allow
remote direct root logins, which makes some a bit uncomfortable.

Russ Allbery (rra at             <>

More information about the Kerberos mailing list