.k5login wildcard

Dr. Greg Wettstein greg at wind.enjellic.com
Wed Oct 22 10:30:28 EDT 2003


On Oct 21,  3:43pm, Michael Conlen wrote:
} Subject: .k5login wildcard

Good morning to Michael and everyone on the list.

> I am trying to work out a system where a principle
> 
> */root at REALM
> 
> has access to login to an account (guess which one) or su to that 
> account. I noticed a few years ago David Cross merged in a patch with 
> alpha support for wildcards in the .k5login file, but that's the last I 
> ever saw of it. This functionality would by hyperuseful for us as we 
> could assign or revoke privs based on available principles as opposed to 
> updating 2000 machines. (Consider an administrator being fired, you have 
> to update all those machines fast, or just remove a principle in the KDC).
> 
> In any case, is this functionality around in code anymore, and if so how 
> would one go about using it.

You are running into the classic authorization vs. authentication
issue.

I'm not sure that I will be in your timeframe but the primary focus of
the Hurderos Project was to develop a fine grained authorization
system to solve problems such as this.  The project focus has been to
implement the authorization checks via PAM in order to expedite field
deployment of authorization enabled software.

We have a Hurderos enabled sudo utility that makes it possible to
remove administrative user rights by simply disabling the SUDO service
for that identity.  The example of root access is also why work
focused on developing a system which could securely differentiate
between a generic and machine specific authorization.

The licensing issues have finally been resolved.  I don't know whether
everyone will agree with them but the code will be available which was
my primary goal.

I'm headed to an obedience trial with my Golden Retriever Iggy this
weekend.  If I can convince him to drive I hope to have a hurderos.org
website up in the near future.

> Thank you for your time.
> 
> --
> Michael Conlen

Drop me a note if you would like a copy of the white paper which
describes the authorization technology more completely.  Otherwise it
will be up on the new website shortly, for some definition of shortly.

Best wishes for a pleasant week.

Greg

}-- End of excerpt from Michael Conlen

As always,
Dr. G.W. Wettstein, Ph.D.   Enjellic Systems Development, LLC.
4206 N. 19th Ave.           Specializing in information infra-structure
Fargo, ND  58102            development.
PH: 701-281-1686
FAX: 701-281-3949           EMAIL: greg at enjellic.com
------------------------------------------------------------------------------
"Programming without software engineering is like sculpting with a
chain saw.  The very talented can produce a work of art, the mediocre
wind up with a misshapen lump in a pile of rubble, and in neither case
does the end result have more than a passing resemblance to the
original intent."
                                -- Bill Davidsen


More information about the Kerberos mailing list