[sudo-workers] Kerberize sudo

Todd C. Miller Todd.Miller at sudo.ws
Fri Nov 15 11:29:58 MST 2019

On Thu, 14 Nov 2019 12:22:29 +0100, =?UTF-8?Q?Pavel_B=c5=99ezina?= wrote:

> we would like to implement kerberos authentication for sudo as an 
> alternative to NOPASSWD in environments where other means of 
> authentication are not available (e.g. when user logs in with smartcard 
> to a remote machine where the smartcard is not physically available and 
> passwords can not be used).
> The basic idea is to provide new option as an alternative to NOPASSWD 
> and !authenticate. Lets say GSSPAPI. So the administrator can configure 
> what rules can use kerberos ticket for authentication and what rules 
> must go through pam.
> If a rule has GSSAPI set, kerberos authentication will be attempted. If 
> it is not set, pam authentication will be used.
> We want to check before we start coding - is this something that sudo 
> upstream would accept?

It sounds like what you want is a hybrid approach where GSSAPI is
used to verify the Kerberos credentials but PAM is still used to
setup the session.  Is that correct?

 - todd

More information about the sudo-workers mailing list