Lee Eric <openlinuxsou...@gmail.com> writes: > Thanks Russ, that's very clear. BTW, I think client users shall use > ksu under local machine, not remote machines. Because I notice that > ksu will prompt me that it's unsafe if I type Kerberos password under > insecure connection.
Yeah, ideally in Kerberos you never enter your password into any remote system, but always authenticate locally and then use Kerberos to authenticate to remote systems. We're moving in that way (by allowing root logins only via GSSAPI), but the tradeoff is that you have to allow remote direct root logins, which makes some a bit uncomfortable. -- Russ Allbery (r...@stanford.edu) <http://www.eyrie.org/~eagle/> ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
