On Mon, Oct 04, 2010 at 03:47:00PM -0500, Christopher D. Clausen wrote: > Note that depending upon your SSH setup, adding user principals to > root's .k5login (or auth_to_local rules) might allow one to login > directly as root on the system via SSH.
ISTM that leaves a bit of an administrative headache in updating .k5login files on all the machines. I don't suppose there's a way to get kerberos or openssh to query LDAP for this instead? I see the question asked in 2007 but only some private patches mentioned: http://mailman.mit.edu/pipermail/kerberos/2007-October/012353.html At worst, I guess I could write a script which does an LDAP query every hour and writes the results to root's .k5login sudo's testing for group membership seems a lot more attractive in that regard. Regards, Brian. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
