"Christopher D. Clausen" <[email protected]> writes: > Russ Allbery <[email protected]> wrote:
>> We do this, except we use .k5login with a specific list of principals that >> should have access to root. I wouldn't use auth_to_local for... > Note that depending upon your SSH setup, adding user principals to root's > .k5login (or auth_to_local rules) might allow one to login directly as root > on the system via SSH. In general, that is exactly what I prefer to do: > ssh r...@machine gets me in as root but logs that cclausen (or > cclausen/admin) made the connection. Of course it doesn't log every > individual action, but IIRC neither does ksu. Same here. I prefer that to ksu since it doesn't expose the password on the local system. > I have PermitRootLogin set to without-password in sshd_config so that > Kerberos is allowed but not password based auth for the root user. Yup. You may want to also disable public key authentication. -- Russ Allbery ([email protected]) <http://www.eyrie.org/~eagle/> ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
