[sudo-workers] Kerberize sudo

Pavel Březina pbrezina at redhat.com
Mon Nov 18 04:51:31 MST 2019

On 11/15/19 7:29 PM, Todd C. Miller wrote:
> On Thu, 14 Nov 2019 12:22:29 +0100, =?UTF-8?Q?Pavel_B=c5=99ezina?= wrote:
>> we would like to implement kerberos authentication for sudo as an
>> alternative to NOPASSWD in environments where other means of
>> authentication are not available (e.g. when user logs in with smartcard
>> to a remote machine where the smartcard is not physically available and
>> passwords can not be used).
>> The basic idea is to provide new option as an alternative to NOPASSWD
>> and !authenticate. Lets say GSSPAPI. So the administrator can configure
>> what rules can use kerberos ticket for authentication and what rules
>> must go through pam.
>> If a rule has GSSAPI set, kerberos authentication will be attempted. If
>> it is not set, pam authentication will be used.
>> We want to check before we start coding - is this something that sudo
>> upstream would accept?
> It sounds like what you want is a hybrid approach where GSSAPI is
> used to verify the Kerberos credentials but PAM is still used to
> setup the session.  Is that correct?
>   - todd

Correct. I think even pam_acct_mgmt should be called to verify the 
account. Only authentication needs to be done with kerberos ticket.

More information about the sudo-workers mailing list