Brian Candler <[email protected]> writes: > (1) create separate principals for each user who should have root access, > e.g. > [email protected] > candlerb/[email protected]
> Then map */admin to the root account using auth_to_local, and people > can use ksu to switch. We do this, except we use .k5login with a specific list of principals that should have access to root. I wouldn't use auth_to_local for... > (I'm not sure I like the idea of burying "/admin" inside a principal's name; > that seems to be mixing authentication and authorization. And that would > apply a single authorization policy across all systems) ...exactly that reason. -- Russ Allbery ([email protected]) <http://www.eyrie.org/~eagle/> ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
