On Thu, May 15, 2008 at 10:07:51AM -0400, Bill Sommerfeld wrote: > folks interested in solving this may want to look more closely at the > Kerberos "ksu" scheme invented at Project Athena; rather than having a > shared password, people who have administrative roles are issued one or > more secondary principals, each with independent passwords (via the > kerberos "instance" naming convention). Rather than one shared password > on the role account, each user gets their own "root instance" password. > Actions taken as a "root instance" are attributable to an individual > person, while the regular user account and password are only as powerful > (and thus only as sensitive) than an account without special powers.
But note that there's no need for us to use ksu to get the same result. We've previously discussed, more than once too, a user_attr for roles that says that users assuming the role use not the role's shared password but their own (or an alternate per-user password). There's no reason we shouldn't do that. > IMHO the biggest benefit is one you failed to mention: > * password sharing between people is never necessary Hear hear. Nico --
