5.20. Sharing root Privileges via Kerberos su
Problem
You want to obtain root privileges in a Kerberos environment.
Solution
Use ksu .
To obtain a root shell:
$ ksu
To obtain a shell as user barney:
$ ksu barney
To use another Kerberos principal besides your default for authentication:
$ ksu [user] -nprincipal ...
To execute a specific command under the target uid, rather than get a login shell:
$ ksu [user] -ecommand
Discussion
Like the usual Unix su program, ksu allows one account to access another, if the first account is authorized to do so. Unlike su, ksu does authentication using Kerberos rather than plain passwords, and has many more options for authorization.
With su, one simply types su
<target>. su
prompts for the target account’s password; if the
user supplies the correct password, su starts a
shell under the target account’s uid (or executes
another program supplied on the su command line).
With ksu, both authentication and authorization
are done differently.
Authentication
ksu performs authentication via Kerberos, so you must select a Kerberos principal to use. First, ksu tries the default principal indicated in your current Kerberos credentials cache (klist command). If you have no credentials, then it will be the default principal indicated by your Unix account name and the local Kerberos configuration. For example, if your Unix username is fred and the Kerberos realm of your host is FOO.ORG, then your default principal would normally be fred@FOO.ORG (note that Kerberos ...
Get Linux Security Cookbook now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
