changing the login password's requirement
Jeff Vian
jvian10 at charter.net
Wed Apr 20 02:15:30 UTC 2005
On Tue, 2005-04-19 at 14:19 -0700, Don Russell wrote:
> Ankush Grover wrote:
> > Hey friends,
> >
> [snip]
>
> > Such thing is possible or not.
>
> Yes, it's possible... open source makes it so. Though I don't see the
> value of being asked to enter the same thing twice.
>
> However, something I *would like* is a way to log on to one ID but
> specifying the password of another. Sounds crazy.... but here's how it
> works:
>
> logon to user x "by y"
> system prompts for/wants password for user "y"
> correct password is entered, authentication success, log on complete.
>
> User "x" is now logged on with all of user x authority etc, just as if
> user x password was used.
>
> Then the key part is to authorize who (which y) can actually log on to x.
>
> This is already done on other systems (IBM mainframe VM system) and is
> very helpful in terms of security... no need to ever share the password
> for root (or any other ID).
>
> There is an audit trail showing who logged on to the ID.
>
> Of course originally someone has to log on to root to grant the first
> permission... but after that, root never needs to be logged on using
> root's password.
>
> By extension, such a mechanism could be applicable to the use of "su -".
> Instead of prompting for root's password, prompt foe the current user
> password, then see if that user is authorized to log on to root.
>
> You could get away with not prompting, taking the approach that the user
> already logged on, but the prompt is still a good idea in case user y
> steps away and a new guy secretly uses "su -"...
>
sudo already does that on a command by command basis (although only to
the root privileges)
More information about the users
mailing list