SSH mediated Kerberos authenticated sudo.

Frank Cusack frank+krb at
Wed May 11 16:00:08 EDT 2011

On Wed, Dec 22, 2010 at 10:31 AM, <g.w at> wrote:


Revisiting this.

In my followup idea on having the server initiate the request for the fresh
credential, any thoughts on how to present a secure UI to the user so that
he knows this is ACTUALLY a local password request and not something being
mocked up by a compromised server?

With the client-initiated escape sequence, I think it's less of a concern
since as long as the client software is not tampered with the user has a
guarantee that they are actually entering their password locally.  And if
the client software IS tampered with, then all bets are off anyway.

More information about the krbdev mailing list