Using ksu, we can have users take on a different user ID without need for a password (once they've authenticated as themselves, of course).
For example, a DBA can log in, then: bob> ksu oracle Authenticated [EMAIL PROTECTED] Account oracle: authorization for [EMAIL PROTECTED] successful Changing uid to oracle (35000) oracle# startup_database_3 and the database starts up running under the oracle user ID. su requires a password. Considering the number of userID's we have that people can ksu to (for example, many databases actually run under an oracle ID specific to that database), managing passwords would be a logistics nightmare. One thing you have to keep in mind is that we have a lot of fairly conservative people here. Requiring them to learn a new mechanism to replace what they've used for years is not an option. It may work for the sysadmin group, but not for most others. In addition, the mechanism must be invisible across OS versions. What works on RedHat must work on Solaris, and what works in Solaris 8 must work in Solaris 10. Don't ask some of the users to keep track what system/OS/revision they're on, unless you like a lot of stress in your life. This was set up by someone much smarter than me (and who was long gone before I got here), before Sun embraced Kerberos, and changing it would get very little traction. So, if there is a way to do this with just su and a specific PAM stack, I'm listening. Rainer > -----Original Message----- > From: Jeffrey Hutzelman [mailto:[EMAIL PROTECTED] > Sent: Friday, June 03, 2005 3:25 PM > To: Heilke, Rainer; Douglas E. Engert; [email protected] > Subject: RE: Using Solaris 10 kadmin with MIT 1.4.1 kadmind > > > On Friday, June 03, 2005 01:32:20 PM -0600 "Heilke, Rainer" > <[EMAIL PROTECTED]> wrote: > > >> P.S. What is the other issue? > > > > Sun's lack of a ksu binary. The way we use ksu, RBAC and su > simply do > > not provide the same functionality. We have an RFE open on > this. BTW, if > > anyone else needs ksu, please add your names to the RFE. > > > What do you need in a ksu that you don't get from Solaris's su and a > properly-configured PAM stack? > > -- Jeffrey T. Hutzelman (N3NHS) <[EMAIL PROTECTED]> > Sr. Research Systems Programmer > School of Computer Science - Research Computing Facility > Carnegie Mellon University - Pittsburgh, PA > > ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
