SecurID add-on

mackay at kodak.com mackay at kodak.com
Thu Sep 21 16:06:22 EDT 2000


From: Scott D. MacKay

Hello all!  Ah, yet another mailing list, heh.

I had a question about the SecurID option for SUDO.  I found this by
accident when I had installed the ACE client and sudo complained about not
finding a /var/ace/sdconf.rec.  Mulling around the examples tree, I saw
there were actually environment variables which affect where it looks for
files, namelyVAR_ACE, USR_ACE, CVT_ACE and DLC (at least accoring to a
script file in that directory).  Setting it for where my sdconf.rec worked
nice, but I thought "Hey, isn't that a security problem?  If someone makes
a remote securid server somwhere and is allowed to point my SUDO lookup
files to it, could they bypass the real authentication?  I did see in the
FAQ about removed variables that a few related to kerberos are removed and
I thought it may be for this reason.

Should sudo be removing these variables too and setting them according to a
configure parameter?



-Scott





More information about the sudo-users mailing list