Since I haven't seen any replies to this I thought I'd give my 2 cents worth. I my opinion a root principal is a REALLY bad idea. It basically will give that principal root access and privileges to any machine in your organization that allows remote kerberos authentication. This can also go for machines that you may not normally have acccess to (ie. no local user account). Also, if that principal was ever compromised (it had better require preauth) then you'd most likley be in deep kimchi. There may be ways around this like preventing direct root logins, etc., but I still think it is a dangerous principal to have in your database. Are there any organizations that actually utilize this (or would admit to it :)?
On Thu, Mar 04, 2004 at 12:15:47PM -0500, James Walthall wrote: > How does root authentication work with kerberos? > > To my understanding, it appears as if the root user can authenticate both > locally and on the kerberos KDC. > > I have successfully been able to login onto a kerberized redhat linux 8 > machine using both the root password > established locally as well as the kerberos principle password without > making any configuration changes between > logins. > > I assume this is working as designed. Any idea how to disable the local > logon for root while still allowing the > kerberized logon (or is this just a bad idea altogether?) > > Thanks in advance! > > --------------- > James Walthall Jr > IBM Host Integration Server Test / HATS > Outside: (919) 254-8869 > Tieline: 444-8869 > Research Triangle Park > Raleigh, North Carolina > ________________________________________________ > Kerberos mailing list [EMAIL PROTECTED] > https://mailman.mit.edu/mailman/listinfo/kerberos -- James J. Barlow <[EMAIL PROTECTED]> Senior Security Engineer National Center for Supercomputing Applications Voice : (217)244-6403 605 East Springfield Avenue Champaign, IL 61820 Cell : (217)840-0601 http://www.ncsa.uiuc.edu/~jbarlow Fax : (217)244-1987 ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
