[krbdev.mit.edu #8619] ksu command doesn't use service ticket in cache file but always re-requests to TGS
Fabiano Tarlao via RT
rt-comment at KRBDEV-PROD-APP-1.mit.edu
Tue Nov 21 16:36:00 EST 2017
Yes, this is our goal, we already have services in execution on each host,
for this reason ksu seems to fit well our needs but the fact it needs the
TGTs is the only defect.
I have never heard about this remctl, very interesting, I'll check it
immediately. Great!
Regards
On 21 November 2017 at 22:00, Greg Hudson via RT <rt-comment at krbdev.mit.edu>
wrote:
> I can look into changing the code's behavior, but not on any specific
> time table. ksu isn't a terribly high priority component for the
> project.
>
> From your stated security motivation, it sounds like you are building a
> scripted or programmatic system on top of ksu to allow specific
> operations to be performed at an escalated privilege level. I don't
> think ksu makes a great building block. Without knowing the full
> parameters of the system I can't say what would make a better building
> block, but perhaps remctl (
> https://www.eyrie.org/~eagle/software/remctl/ ) would be better.
>
More information about the krb5-bugs
mailing list