su privilegessu privilegesKerberos allows us to give each user who needs root
privileges their own separate supassword. We
could now add an id which is authorized to su to root.
This is controlled by having an instance of root associated
with a principal. Using kdb_edit we can create the entry
jane.root in the Kerberos database:
grunt# kdb_edit
Opening database...
Enter Kerberos master key:
Current Kerberos master key version is 1.
Master key entered. BEWARE!
Previous or default values are in [brackets] ,
enter return to leave the same, or new value.
Principal name: jane
Instance: root
<Not found>, Create [y] ? y
Principal: jane, Instance: root, kdc_key_ver: 1
New Password: <---- enter a SECURE password here
Verifying password
New Password: <---- re-enter the password here
Principal's new key version = 1
Expiration date (enter yyyy-mm-dd) [ 2000-01-01 ] ?
Max ticket lifetime (*5 minutes) [ 255 ] ? 12 <--- Keep this short!
Attributes [ 0 ] ?
Edit O.K.
Principal name: <---- null entry here will cause an exit
Now try getting tokens for it to make sure it works:
grunt# kinit jane.root
MIT Project Athena (grunt.grondar.za)
Kerberos Initialization for "jane.root"
Password:
Now we need to add the user to root's .klogin file:
grunt# cat /root/.klogin
jane.root@GRONDAR.ZA
Now try doing the su:
[jane@grunt 10407] su
Password:
grunt#
and take a look at what tokens we have:
grunt# klist
Ticket file: /tmp/tkt_root_245
Principal: jane.root@GRONDAR.ZA
Issued Expires Principal
May 2 20:43:12 May 3 04:43:12 krbtgt.GRONDAR.ZA@GRONDAR.ZA
su privileges