Help: ksu questions
g.w@hurderos.org
g.w at hurderos.org
Tue Jan 11 12:59:54 EST 2011
On Jan 8, 2:09pm, Lee Eric wrote:
} Subject: Re: Help: ksu questions
Good morning, hope the day is going well for everyone.
> Thanks Russ, that's very clear. BTW, I think client users shall use
> ksu under local machine, not remote machines. Because I notice that
> ksu will prompt me that it's unsafe if I type Kerberos password
> under insecure connection.
Theoretically in a tight Kerberos authentiction environment one never
wants to type a password into a remote machine since it may be
compromised.
We put out a patchset just before Christmas to allow sudo mediated
privilege escalation in a Kerberos friendly fashion using OpenSSH. I
don't know how much control you have over your toolchain or if sudo is
a possibility for you.
The following URL has the patchset:
ftp://ftp.hurderos.org/pub/Hurdo/Hurdo-0.1.0.tar.gz
The SSH portion of the patch provides a framework for exporting a
short-lived Kerberos authentication packet to the remote side of a
connection. The sudo portion of the patch has support for
authenticating the privilege escalation using the exported packet.
> Eric
Good luck with your systems efforts.
Have a good week.
}-- End of excerpt from Lee Eric
As always,
Greg Wettstein
------------------------------------------------------------------------------
The Hurderos Project
Open Identity, Service and Authorization Management
"The software said it required Windows 3.1 or better so I installed Linux."
-- Mark MaClark
More information about the Kerberos
mailing list