[sudo-workers] Kerberize sudo
pbrezina at redhat.com
Thu Nov 14 04:22:29 MST 2019
Hello sudo workers,
we would like to implement kerberos authentication for sudo as an
alternative to NOPASSWD in environments where other means of
authentication are not available (e.g. when user logs in with smartcard
to a remote machine where the smartcard is not physically available and
passwords can not be used).
The basic idea is to provide new option as an alternative to NOPASSWD
and !authenticate. Lets say GSSPAPI. So the administrator can configure
what rules can use kerberos ticket for authentication and what rules
must go through pam.
If a rule has GSSAPI set, kerberos authentication will be attempted. If
it is not set, pam authentication will be used.
We want to check before we start coding - is this something that sudo
upstream would accept?
More information about the sudo-workers