* sudo again
2000-12-30 6:08 sudo again Tom Tromey
@ 2000-08-20 11:35 ` Tom Tromey
2000-12-30 6:08 ` Andrew Cagney
1 sibling, 0 replies; 4+ messages in thread
From: Tom Tromey @ 2000-08-20 11:35 UTC (permalink / raw)
To: Overseers List
Chris pointed out to me that I installed sudo but didn't test it, and
it didn't work. I looked into it. It fails because none of us have
passwords on sourceware. This confuses PAM.
Fine. I looked into making it use our kerberos passwords, but we
don't have the krb4 PAM module installed (and don't we use krb5
anyway?). So I made it `promiscuous'. This means that if you are
listed in the sudoers file you won't need to use a password to use
sudo.
Maybe this is lame and dangerous (?). Another choice would be to give
all the sudoers a real password. That's an easy change to make: just
revert my change in /etc/pam.d/sudo and tell the list (or ask me to do
it).
Tom
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: sudo again
2000-12-30 6:08 ` Andrew Cagney
@ 2000-08-24 0:01 ` Andrew Cagney
0 siblings, 0 replies; 4+ messages in thread
From: Andrew Cagney @ 2000-08-24 0:01 UTC (permalink / raw)
To: tromey; +Cc: Overseers List
Tom Tromey wrote:
>
> Chris pointed out to me that I installed sudo but didn't test it, and
> it didn't work. I looked into it. It fails because none of us have
> passwords on sourceware. This confuses PAM.
>
> Fine. I looked into making it use our kerberos passwords, but we
> don't have the krb4 PAM module installed (and don't we use krb5
> anyway?). So I made it `promiscuous'. This means that if you are
> listed in the sudoers file you won't need to use a password to use
> sudo.
>
> Maybe this is lame and dangerous (?). Another choice would be to give
> all the sudoers a real password. That's an easy change to make: just
> revert my change in /etc/pam.d/sudo and tell the list (or ask me to do
> it).
First random thought. What could go wrong. I use it here....
Second random thought. The moment the user has to perform
authentication (enter their password) while logged into sourceware,
you've got the makings of a security problem. SUDO becomes an obvious
point of attack - capture those passwords. The less authentication
mechanisms on the machine the better. Can what you want be achieved
using just SSH?
With respect to promsiscuous being lame or dangerous. SUDO will make
little difference. Going from a normal user will take 10 seconds
instead of 5.
Andrew
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: sudo again
2000-12-30 6:08 sudo again Tom Tromey
2000-08-20 11:35 ` Tom Tromey
@ 2000-12-30 6:08 ` Andrew Cagney
2000-08-24 0:01 ` Andrew Cagney
1 sibling, 1 reply; 4+ messages in thread
From: Andrew Cagney @ 2000-12-30 6:08 UTC (permalink / raw)
To: tromey; +Cc: Overseers List
Tom Tromey wrote:
>
> Chris pointed out to me that I installed sudo but didn't test it, and
> it didn't work. I looked into it. It fails because none of us have
> passwords on sourceware. This confuses PAM.
>
> Fine. I looked into making it use our kerberos passwords, but we
> don't have the krb4 PAM module installed (and don't we use krb5
> anyway?). So I made it `promiscuous'. This means that if you are
> listed in the sudoers file you won't need to use a password to use
> sudo.
>
> Maybe this is lame and dangerous (?). Another choice would be to give
> all the sudoers a real password. That's an easy change to make: just
> revert my change in /etc/pam.d/sudo and tell the list (or ask me to do
> it).
First random thought. What could go wrong. I use it here....
Second random thought. The moment the user has to perform
authentication (enter their password) while logged into sourceware,
you've got the makings of a security problem. SUDO becomes an obvious
point of attack - capture those passwords. The less authentication
mechanisms on the machine the better. Can what you want be achieved
using just SSH?
With respect to promsiscuous being lame or dangerous. SUDO will make
little difference. Going from a normal user will take 10 seconds
instead of 5.
Andrew
^ permalink raw reply [flat|nested] 4+ messages in thread
* sudo again
@ 2000-12-30 6:08 Tom Tromey
2000-08-20 11:35 ` Tom Tromey
2000-12-30 6:08 ` Andrew Cagney
0 siblings, 2 replies; 4+ messages in thread
From: Tom Tromey @ 2000-12-30 6:08 UTC (permalink / raw)
To: Overseers List
Chris pointed out to me that I installed sudo but didn't test it, and
it didn't work. I looked into it. It fails because none of us have
passwords on sourceware. This confuses PAM.
Fine. I looked into making it use our kerberos passwords, but we
don't have the krb4 PAM module installed (and don't we use krb5
anyway?). So I made it `promiscuous'. This means that if you are
listed in the sudoers file you won't need to use a password to use
sudo.
Maybe this is lame and dangerous (?). Another choice would be to give
all the sudoers a real password. That's an easy change to make: just
revert my change in /etc/pam.d/sudo and tell the list (or ask me to do
it).
Tom
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2000-12-30 6:08 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2000-12-30 6:08 sudo again Tom Tromey
2000-08-20 11:35 ` Tom Tromey
2000-12-30 6:08 ` Andrew Cagney
2000-08-24 0:01 ` Andrew Cagney
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).