I am wondering, what are people using instead of sudo in an Kerberized
environment?
So far I can see the following options:
(1) create separate principals for each user who should have root access,
e.g.
[email protected]
candlerb/[email protected]
Then map */admin to the root account using auth_to_local, and people
can use ksu to switch.
(I'm not sure I like the idea of burying "/admin" inside a principal's name;
that seems to be mixing authentication and authorization. And that would
apply a single authorization policy across all systems)
(2) Use sudo with NOPASSWD for users who are members of a particular group
(3) Use sudo with pam_krb5, so user has to enter their password again.
Kerberos is then just acting as a password oracle (ick).
Are there any others I should be considering?
Thanks,
Brian.
________________________________________________
Kerberos mailing list [email protected]
https://mailman.mit.edu/mailman/listinfo/kerberos
