[sudo-workers] Kerberize sudo
Todd C. Miller
Todd.Miller at sudo.ws
Fri Nov 15 11:29:58 MST 2019
On Thu, 14 Nov 2019 12:22:29 +0100, =?UTF-8?Q?Pavel_B=c5=99ezina?= wrote:
> we would like to implement kerberos authentication for sudo as an
> alternative to NOPASSWD in environments where other means of
> authentication are not available (e.g. when user logs in with smartcard
> to a remote machine where the smartcard is not physically available and
> passwords can not be used).
> The basic idea is to provide new option as an alternative to NOPASSWD
> and !authenticate. Lets say GSSPAPI. So the administrator can configure
> what rules can use kerberos ticket for authentication and what rules
> must go through pam.
> If a rule has GSSAPI set, kerberos authentication will be attempted. If
> it is not set, pam authentication will be used.
> We want to check before we start coding - is this something that sudo
> upstream would accept?
It sounds like what you want is a hybrid approach where GSSAPI is
used to verify the Kerberos credentials but PAM is still used to
setup the session. Is that correct?
More information about the sudo-workers