changing the login password's requirement
Don Russell
fedora at drussell.dnsalias.com
Tue Apr 19 21:19:59 UTC 2005
Ankush Grover wrote:
> Hey friends,
>
[snip]
> Such thing is possible or not.
Yes, it's possible... open source makes it so. Though I don't see the
value of being asked to enter the same thing twice.
However, something I *would like* is a way to log on to one ID but
specifying the password of another. Sounds crazy.... but here's how it
works:
logon to user x "by y"
system prompts for/wants password for user "y"
correct password is entered, authentication success, log on complete.
User "x" is now logged on with all of user x authority etc, just as if
user x password was used.
Then the key part is to authorize who (which y) can actually log on to x.
This is already done on other systems (IBM mainframe VM system) and is
very helpful in terms of security... no need to ever share the password
for root (or any other ID).
There is an audit trail showing who logged on to the ID.
Of course originally someone has to log on to root to grant the first
permission... but after that, root never needs to be logged on using
root's password.
By extension, such a mechanism could be applicable to the use of "su -".
Instead of prompting for root's password, prompt foe the current user
password, then see if that user is authorized to log on to root.
You could get away with not prompting, taking the approach that the user
already logged on, but the prompt is still a good idea in case user y
steps away and a new guy secretly uses "su -"...
More information about the users
mailing list