Using ksu, we can have users take on a different user ID without need
for a password (once they've authenticated as themselves, of course).

For example, a DBA can log in, then:

bob> ksu oracle
Authenticated bob@DOMAIN.COM
Account oracle: authorization for bob@DOMAIN.COM successful
Changing uid to oracle (35000)
oracle# startup_database_3

and the database starts up running under the oracle user ID. su requires
a password. Considering the number of userID's we have that people can
ksu to (for example, many databases actually run under an oracle ID
specific to that database), managing passwords would be a logistics
nightmare.

One thing you have to keep in mind is that we have a lot of fairly
conservative people here. Requiring them to learn a new mechanism to
replace what they've used for years is not an option. It may work for
the sysadmin group, but not for most others. In addition, the mechanism
must be invisible across OS versions. What works on RedHat must work on
Solaris, and what works in Solaris 8 must work in Solaris 10. Don't ask
some of the users to keep track what system/OS/revision they're on,
unless you like a lot of stress in your life. This was set up by someone
much smarter than me (and who was long gone before I got here), before
Sun embraced Kerberos, and changing it would get very little traction.

So, if there is a way to do this with just su and a specific PAM stack,
I'm listening.

Rainer

> -----Original Message-----
> From: Jeffrey Hutzelman [mailto:jhutz@cmu.edu]
> Sent: Friday, June 03, 2005 3:25 PM
> To: Heilke, Rainer; Douglas E. Engert; kerberos@mit.edu
> Subject: RE: Using Solaris 10 kadmin with MIT 1.4.1 kadmind
>
>
> On Friday, June 03, 2005 01:32:20 PM -0600 "Heilke, Rainer"
> wrote:
>
> >> P.S. What is the other issue?

> >
> > Sun's lack of a ksu binary. The way we use ksu, RBAC and su

> simply do
> > not provide the same functionality. We have an RFE open on

> this. BTW, if
> > anyone else needs ksu, please add your names to the RFE.

>
>
> What do you need in a ksu that you don't get from Solaris's su and a
> properly-configured PAM stack?
>
> -- Jeffrey T. Hutzelman (N3NHS)
> Sr. Research Systems Programmer
> School of Computer Science - Research Computing Facility
> Carnegie Mellon University - Pittsburgh, PA
>
>


________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos