On May 7, 11:21am, pete...@bigfoot.com wrote: } Subject: Sudo w/Ticket Support
Good morning to everyone, hope your respective weeks are going well. > Is there a version of sudo that supports Ticket Exchange? > > ie. if I have valid TGT it will allow me to sudo without being prompted > for a password? > > It appears there is a version that supports the use of Kerberos passwords, > but I'm looking for something that uses that TGT I already have. TGT authenticated sudo transition is a bit of a security hole in general. It essentially defeats the notion which sudo has of enforcing user immediacy at the time of the security transition request. The other major hole with using Kerberos to authenticate a password is that it defeats the underlying premise of the Kerberos security model which states that a password is never typed into a remote machine. I've got the most recent copy of OpenSSH taken apart right now in an attempt to implement an alternative strategy. I'm teaching the client to open an authenticated channel over which a short lived host based service ticket is passed to the SSHD daemon. After authenticating the service ticket the daemon updates the timestamp on the sudo sentinel file. The user uses the ~S command to initiate the sequence. The user is prompted for a password which is used to obtain a TGT which is then used to obtain a service ticket which is sent over the channel for authentication. By enforcing a very short ticket lifetime parameter user immediacy can be enforced. I plan on posting the patches when they are complete. Much like Simon Wilkinson's excellent patches it is unlikely they will see the light of day but local system administrators may find them useful. They will be more palatable then the current situation with respect to Kerberized authentication for sudo. I know in the shops I work with this approach is more favored then typing in remote passwords or usingn NOPASSWD. Best wishes for a productive week. Greg }-- End of excerpt from pete...@bigfoot.com As always, Dr. G.W. Wettstein, Ph.D. Enjellic Systems Development, LLC. 4206 N. 19th Ave. Specializing in information infra-structure Fargo, ND 58102 development. PH: 701-281-1686 FAX: 701-281-3949 EMAIL: g...@enjellic.com ------------------------------------------------------------------------------ "C++ is designed to allow you to express ideas, but if you don't have any ideas or don't have any clue about how to express them, C++ doesn't offer much help." -- Bjarne Stroustrup Technology Review ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos