FWIW, In my previous job, we modified sudo (relatively simple patch, I'll have to dig it up) to use kerberos authentication with a principal of the format <user>/sudo@<REALM>. (sudo supports kerberos auth, but using the user's login principal, which AFAIC is a horrible mistake security-wise).
I'm old school -- where allowing direct root login is verboten, allowing direct login to root just makes me twitch. Having logging of who logged in helps, but I prefer requiring users to login as themselves and the su/sudo to get root access. I can't make the strongest argument for it, but I like having tohe user have to have an account on the target host *and* have a separate credential for privilege access, *and* have permission in sudoers for that host. If nothing else, maybe it reduces the risk of accidentally allowing open root login to the machine, or accidentally giving someone privileged access to a host they're not supposed to have it on. -- Abe On Mon, Oct 04, 2010 at 03:47:00PM -0500, Christopher D. Clausen wrote: > > Russ Allbery <[email protected]> wrote: > > Brian Candler <[email protected]> writes: > > > >> (1) create separate principals for each user who should have root access, > >> e.g. > >> [email protected] > >> candlerb/[email protected] > > > >> Then map */admin to the root account using auth_to_local, and people > >> can use ksu to switch. > > > > We do this, except we use .k5login with a specific list of principals that > > should have access to root. I wouldn't use auth_to_local for... > > Note that depending upon your SSH setup, adding user principals to root's > .k5login (or auth_to_local rules) might allow one to login directly as root > on the system via SSH. In general, that is exactly what I prefer to do: > > ssh r...@machine gets me in as root but logs that cclausen (or > cclausen/admin) made the connection. Of course it doesn't log every > individual action, but IIRC neither does ksu. > > I have PermitRootLogin set to without-password in sshd_config so that > Kerberos is allowed but not password based auth for the root user. > > <<CDC > > ________________________________________________ > Kerberos mailing list [email protected] > https://mailman.mit.edu/mailman/listinfo/kerberos ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
