pete...@bigfoot.com wrote: > Main reason for not setting NOPASSWD is because I don't have control > over the sudoers file on most of the systems I have access to. And > the SA's are very reluctant to use "NOPASSWD".
Do you know about the ksu command? Or using a ~root/.k5login and ssh -o "GssapiAuthentication yes" r...@`hostname` ? > I believe they just want that extra layer of protection in case a > workstation is left unattended. People who leave workstations unattended should not have sudo access. Also, if unattended and the tickets are still valid, someone can still use them. > I do see what you mean though. From a security standpoint, if sudo > was capable of using an existing TGT, that doesn't seem like it would > be too much different then using NOPASSWD in the sudoers file. Yes, exactly. Except it will stop working once the tickets expire, so there is some trivial level of safety. <<CDC ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos