UI for Kerberos accounts administration

Sam Hartman hartmans at MIT.EDU
Fri Aug 20 12:25:36 EDT 2004


>>>>> "Lukas" == Lukas Kubin <kubin at opf.slu.cz> writes:

    Lukas> I'm planning to build an web interface for administering
    Lukas> our Kerberos/OpenAFS/LDAP accounts.  How should I pass
    Lukas> credentials to the web service? I can use the mod_auth_kerb
    Lukas> module for Apache. Then some wrapper script will call
    Lukas> kadmin command. When I want kadmin not to ask for password
    Lukas> everytime it is called, I'll have to create an
    Lukas> administrator's keytab stored on the webserver. That way
    Lukas> appear not to be secure.  

Why is this not secure?  It places your web service in the role as a
privilege delegation service rather than as acting as the user
directly.

You actually tend to want this though.  At many sites it is reasonable
for a larger set of users to go through all the steps of creating a
properly configured account all at once than it is to allow a user to
only go through one of the steps of account setup.  If only the web
server is authorized to act, it can enforce constraints like this.

--Sam



More information about the Kerberos mailing list