Anyone familiar with the possibility to authenticate sudo command in /etc/pam.d/sudo with kerberos5 a.k.a with pam_krb5.so library?
1
- I have working authentication with kerberos5 for https and all systems. Is this even possible to have setup where Kerberos ticket grants sudo rights to system?Sami Hulkko– Sami Hulkko2025-01-11 07:56:29 +00:00Commented Jan 11 at 7:56
Add a comment |
1 Answer
SSSD comes with pam_sss_gss.so which supports this. Neither of the two variations of pam_krb5.so (Fedora and RRA) have such a feature, as far as I can see.
Additionally, MIT Kerberos comes with ksu which achieves more-or-less the same thing if you're looking for "unrestricted" sudo.
- Thanks! Good to know. I am in winbind so have to see how I go about it.Sami Hulkko– Sami Hulkko2025-01-11 16:28:39 +00:00Commented Jan 11 at 16:28
- @SamiHulkko: If all you need is passwordless sudo, then,
ksu(or a customized version of ksu) might do the job.grawity– grawity2025-01-12 13:49:08 +00:00Commented Jan 12 at 13:49 - Any way with certificate to achieve sudo auth?Sami Hulkko– Sami Hulkko2025-01-12 18:26:51 +00:00Commented Jan 12 at 18:26
- Locally or via SSH? What kind of certificate?grawity– grawity2025-01-12 19:25:37 +00:00Commented Jan 12 at 19:25
- Local self signed SSL certificate and login via ssh or console.Sami Hulkko– Sami Hulkko2025-01-13 08:54:11 +00:00Commented Jan 13 at 8:54