[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: changing the login password's requirement



Ankush Grover wrote:
Hey friends,

[snip]

Such thing is possible or not.

Yes, it's possible... open source makes it so. Though I don't see the value of being asked to enter the same thing twice.


However, something I *would like* is a way to log on to one ID but specifying the password of another. Sounds crazy.... but here's how it works:

logon to user x "by y"
system prompts for/wants password for user "y"
correct password is entered, authentication success, log on complete.

User "x" is now logged on with all of user x authority etc, just as if user x password was used.

Then the key part is to authorize who (which y) can actually log on to x.

This is already done on other systems (IBM mainframe VM system) and is very helpful in terms of security... no need to ever share the password for root (or any other ID).

There is an audit trail showing who logged on to the ID.

Of course originally someone has to log on to root to grant the first permission... but after that, root never needs to be logged on using root's password.

By extension, such a mechanism could be applicable to the use of "su -". Instead of prompting for root's password, prompt foe the current user password, then see if that user is authorized to log on to root.

You could get away with not prompting, taking the approach that the user already logged on, but the prompt is still a good idea in case user y steps away and a new guy secretly uses "su -"...


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]