NCSA Home
Contact Us Intranet

User Information Home
Data
Security
Allocations
Consulting
Training

NCSA's Help Desk is available 24 hours a day, seven days a week, 365 days a year:
help.ncsa.illinois.edu
217-244-0710
help@ncsa.illinois.edu

ksu setup notes

Tables of contents

How ksu works

ksu works by first checking a users Kerberos 5 credentials and verifying they are who they claim to be. This means that a user must have a valid Kerberos 5 ticket (e.g. they have run kinit or come in via Kerberos) in order to use ksu.

After verifying the user's identity, it checks for two files in the target account's home directory, .k5login and .k5users. If the user's Kerberos principal is listed in the .k5login file they are allowed full access to the target account - see the section on granting full access for more details. If the user is not in the .k5login file, then ksu checks in the .k5users file, which contains a list of users and commands they are allowed to execute - see the section on granting limited access for more details.

Note that ksu does not (and can not) give the user a Kerberos ticket or AFS token for the new account, it only changes their Unix identity.

How to set up a machine to use ksu

  1. Make sure the ksu binary (/usr/local/krb5/bin/ksu) is owned by root and setuid-root.
  2. Make sure the host has a host key, typically this means that /etc/krb5.keytab exists. If it doesn't you will need to add one - please see the web page on adding a host to the Kerberos database for directions.

How to give a user full access to an account

In order to give a user full access to an account (i.e. they can get a shell running as the account's uid), they need to have their Kerberos principal listed (one to a line) in the .k5login file in the target account's home directory.

For example if you want joe@NCSA.EDU and jeff@NCSA.EDU to be able to change their user identity to the account krb5adm, then the file ~krb5adm/.k5login should look like: 

 
joe@NCSA.EDU 
jeff@NCSA.EDU

Note that root's home directory is not always "/", so check first.

Then, assuming you're joe and you have a valid Kerberos ticket, you just run ksu krb5adm, and you should find yourself as user krb5adm.

How to give a user limited access to an account

In order to give a user limited access to an account (i.e. they can only run specified commands), they need to be listed in the .k5users file in the target account's home directory, followed by a space-delimited list of commands they are allowed to execute.

A * in the list of commands means the user can run any command.

For example if you wanted joe@NCSA.EDU just to be able to run the commands dump and /etc/mount as root and the user jeff@NCSA.EDU to be able to run any command as root, the file ~root/.k5users should look like: 

 
joe@NCSA.EDU dump /etc/mount 
jeff@NCSA.EDU *

Then, assuing you're joe and you have a valid Kerberos ticket, you just run ksu -e /etc/mount or ksu -e dump to execute things as root.

Note that the file .k5login overrides the .k5users file. So if a user is in .k5login they will be able to get a shell, regardless of what is in .k5users. If you want to restrict what commands a user can run, you must make sure they do not appear in .k5login.

Help

If you've set things up as described above and it still doesn't seem to be working right, first check the troubleshooting page. If that doesn't solve your problem please contact kerberos@ncsa.uiuc.edu for assistance.

Back to NCSA Kerberos Information

Comments or questions about this page may be sent to kerberos@ncsa.uiuc.edu

University of Illinois home page NCSA Home | About NCSA | NCSA Projects | Blue Waters | NCSA News | NCSA User Info
Contact NCSA | NCSA Intranet | Site Map
Contact webmaster with questions regarding this page. Last updated October 26, 2006.
All rights reserved. ©2013 Board of Trustees of the University of Illinois.