On Wed, 2008-05-14 at 23:06 -0700, Scott Rotondo wrote:
> The only reason they have passwords is that we
> needed the role accounts to be able to act as NIS+ principals, and that
> requires a credential that is generated from the account login password.
> If we could find an alternative way to generate that credential (or
> declare that the ability to act as a NIS+ principal just doesn't matter
> any more for a role account),
folks interested in solving this may want to look more closely at the
Kerberos "ksu" scheme invented at Project Athena; rather than having a
shared password, people who have administrative roles are issued one or
more secondary principals, each with independent passwords (via the
kerberos "instance" naming convention). Rather than one shared password
on the role account, each user gets their own "root instance" password.
Actions taken as a "root instance" are attributable to an individual
person, while the regular user account and password are only as powerful
(and thus only as sensitive) than an account without special powers.
> Adopting both of the suggestions above means that
> * root actions can always be attributed to a real user
> * assuming a role is more convenient for users
> * fewer passwords need to be remembered, updated, etc.
IMHO the biggest benefit is one you failed to mention:
* password sharing between people is never necessary
- Bill
