Using ksu for authenticated su-- problem
- From: "David Konerding" <dakoner@xxxxxxxxx>
- Date: Mon, 14 Apr 2008 11:54:01 -0700
Hi,
We are trying to enable a user to execute a command as another user
when the have
the second user's credentials already.
For example, we'd like to be able to do this:
usera% kinit userb
Password for userb@xxxxxxxxxxx:
now that usera has userb's credentials, we want to allow them to run a
command as userb:
userb% ksu userb -e /bin/ls /mnt/private
Now, we've be able to set up .k5login or .k5users to allow limited
versions of this.
We have no problem allowing usera to ksu to userb this way, but we
want to eliminate the
need for the userb to create .k5login or .k5users.
The reasoning is this: the .k5login and .k5users mechanism provides no
additional security for us
because we allow kerberos-based ssh login- if usera already has
userb's credentials
they can ssh to localhost and execute any command. ssh is a bit slower
(0.5 seconds compared to 0.01 seconds)
and we don't want to pay that latency.
Our thinking was to modify ksu to remove the .k5users checking
mechanism. Does anybody know if we
can get this behavior with stock ksu without modifying .k5users?
Thanks,
Dave
.
- Prev by Date: Re: kprop between master (solaris) and slave (mandriva)
- Next by Date: Re: NFS IO on kerberized export failing with permission denied error
- Previous by thread: NFS IO on kerberized export failing with permission denied error
- Next by thread: OS X Server: Apache: perl CGI will not kinit
- Index(es):
Relevant Pages
|
