Hi, We are trying to enable a user to execute a command as another user when the have the second user's credentials already.
For example, we'd like to be able to do this: usera% kinit userb Password for [EMAIL PROTECTED]: now that usera has userb's credentials, we want to allow them to run a command as userb: userb% ksu userb -e /bin/ls /mnt/private Now, we've be able to set up .k5login or .k5users to allow limited versions of this. We have no problem allowing usera to ksu to userb this way, but we want to eliminate the need for the userb to create .k5login or .k5users. The reasoning is this: the .k5login and .k5users mechanism provides no additional security for us because we allow kerberos-based ssh login- if usera already has userb's credentials they can ssh to localhost and execute any command. ssh is a bit slower (0.5 seconds compared to 0.01 seconds) and we don't want to pay that latency. Our thinking was to modify ksu to remove the .k5users checking mechanism. Does anybody know if we can get this behavior with stock ksu without modifying .k5users? Thanks, Dave ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
