SSH mediated Kerberos authenticated sudo.

Frank Cusack frank+krb at linetwo.net
Wed May 11 16:00:08 EDT 2011


On Wed, Dec 22, 2010 at 10:31 AM, <g.w at hurderos.org> wrote:

> ftp://ftp.hurderos.org/pub/Hurdo/Hurdo-0.1.0.tar.gz
>

Revisiting this.

In my followup idea on having the server initiate the request for the fresh
credential, any thoughts on how to present a secure UI to the user so that
he knows this is ACTUALLY a local password request and not something being
mocked up by a compromised server?

With the client-initiated escape sequence, I think it's less of a concern
since as long as the client software is not tampered with the user has a
guarantee that they are actually entering their password locally.  And if
the client software IS tampered with, then all bets are off anyway.



More information about the Kerberos mailing list