[sudo-workers] Kerberize sudo

Pavel Březina pbrezina at redhat.com
Thu Nov 14 04:22:29 MST 2019

Hello sudo workers,
we would like to implement kerberos authentication for sudo as an 
alternative to NOPASSWD in environments where other means of 
authentication are not available (e.g. when user logs in with smartcard 
to a remote machine where the smartcard is not physically available and 
passwords can not be used).

The basic idea is to provide new option as an alternative to NOPASSWD 
and !authenticate. Lets say GSSPAPI. So the administrator can configure 
what rules can use kerberos ticket for authentication and what rules 
must go through pam.

If a rule has GSSAPI set, kerberos authentication will be attempted. If 
it is not set, pam authentication will be used.

We want to check before we start coding - is this something that sudo 
upstream would accept?

Thank you.

Best regards,

More information about the sudo-workers mailing list