On Tue, 2005-04-19 at 14:19 -0700, Don Russell wrote: > Ankush Grover wrote: > > Hey friends, > > > [snip] > > > Such thing is possible or not. > > Yes, it's possible... open source makes it so. Though I don't see the > value of being asked to enter the same thing twice. > > However, something I *would like* is a way to log on to one ID but > specifying the password of another. Sounds crazy.... but here's how it > works: > > logon to user x "by y" > system prompts for/wants password for user "y" > correct password is entered, authentication success, log on complete. > > User "x" is now logged on with all of user x authority etc, just as if > user x password was used. > > Then the key part is to authorize who (which y) can actually log on to x. > > This is already done on other systems (IBM mainframe VM system) and is > very helpful in terms of security... no need to ever share the password > for root (or any other ID). > > There is an audit trail showing who logged on to the ID. > > Of course originally someone has to log on to root to grant the first > permission... but after that, root never needs to be logged on using > root's password. > > By extension, such a mechanism could be applicable to the use of "su -". > Instead of prompting for root's password, prompt foe the current user > password, then see if that user is authorized to log on to root. > > You could get away with not prompting, taking the approach that the user > already logged on, but the prompt is still a good idea in case user y > steps away and a new guy secretly uses "su -"... > sudo already does that on a command by command basis (although only to the root privileges)
