In the admin guide at
http://web.mit.edu/Kerberos/krb5-1.6/krb5-1.6.3/doc/krb5-admin.html#Mapping-Hostnames-onto-Kerberos-Realms
it says:
The second mechanism [for mapping hostnames onto Kerberos realms] works by
looking up the information in special TXT records in the Domain Name
Service. This
I am wondering, what are people using instead of sudo in an Kerberized
environment?
So far I can see the following options:
(1) create separate principals for each user who should have root access,
e.g.
candl...@foo.example.com
candlerb/ad...@foo.example.com
Then map */admin to the
On Mon, 2010-10-04 at 07:01 -0400, Brian Candler wrote:
(1) What DNS lookups are made by the workstation and/or the server when a
connection takes place?
pc.foo.example.com looks up a TXT record for
_kerberos.server.bar.example.com.
(2) Could any of the DNS responses take precedence over the
On Mon, 2010-10-04 at 12:57 -0400, Greg Hudson wrote:
4. The domain heuristic, if turned on
I should have noted that the domain heuristic was added in MIT krb5 1.7,
which may be newer than the version on your client hosts.
Kerberos mailing
Brian Candler b.cand...@pobox.com writes:
(1) create separate principals for each user who should have root access,
e.g.
candl...@foo.example.com
candlerb/ad...@foo.example.com
Then map */admin to the root account using auth_to_local, and people
can use ksu to switch.
We do
Russ Allbery r...@stanford.edu wrote:
Brian Candler b.cand...@pobox.com writes:
(1) create separate principals for each user who should have root access,
e.g.
candl...@foo.example.com
candlerb/ad...@foo.example.com
Then map */admin to the root account using auth_to_local, and
On Mon, Oct 04, 2010 at 12:57:17PM -0400, Greg Hudson wrote:
On Mon, 2010-10-04 at 07:01 -0400, Brian Candler wrote:
(1) What DNS lookups are made by the workstation and/or the server when a
connection takes place?
pc.foo.example.com looks up a TXT record for
On 10/4/2010 5:11 PM, Brian Candler wrote:
On Mon, Oct 04, 2010 at 12:57:17PM -0400, Greg Hudson wrote:
On Mon, 2010-10-04 at 07:01 -0400, Brian Candler wrote:
(1) What DNS lookups are made by the workstation and/or the server when a
connection takes place?
pc.foo.example.com looks up a TXT
Christopher D. Clausen cclau...@acm.org writes:
Russ Allbery r...@stanford.edu wrote:
We do this, except we use .k5login with a specific list of principals that
should have access to root. I wouldn't use auth_to_local for...
Note that depending upon your SSH setup, adding user principals to
On Mon, Oct 4, 2010 at 3:38 PM, Russ Allbery r...@stanford.edu wrote:
Yup. You may want to also disable public key authentication.
We're enabling kerberos for several services at my organization, and
we were just having this same discussion. Can you elaborate on why you
would disable pubkey?
Ken Dreyer ktdre...@ktdreyer.com writes:
On Mon, Oct 4, 2010 at 3:38 PM, Russ Allbery r...@stanford.edu wrote:
Yup. You may want to also disable public key authentication.
We're enabling kerberos for several services at my organization, and
we were just having this same discussion. Can you
FWIW,
In my previous job, we modified sudo (relatively simple patch, I'll
have to dig it up) to use kerberos authentication with a principal
of the format user/sudo@REALM. (sudo supports kerberos auth, but
using the user's login principal, which AFAIC is a horrible mistake
security-wise).
I'm
12 matches
Mail list logo