UI for Kerberos accounts administration

Lukas Kubin kubin at opf.slu.cz
Mon Aug 23 05:34:14 EDT 2004 

Sam Hartman wrote:
>>>>>>"Lukas" == Lukas Kubin <kubin at opf.slu.cz> writes:
> 
> 
>     Lukas> I'm planning to build an web interface for administering
>     Lukas> our Kerberos/OpenAFS/LDAP accounts.  How should I pass
>     Lukas> credentials to the web service? I can use the mod_auth_kerb
>     Lukas> module for Apache. Then some wrapper script will call
>     Lukas> kadmin command. When I want kadmin not to ask for password
>     Lukas> everytime it is called, I'll have to create an
>     Lukas> administrator's keytab stored on the webserver. That way
>     Lukas> appear not to be secure.  
> 
> Why is this not secure?  It places your web service in the role as a
> privilege delegation service rather than as acting as the user
> directly.

In this design I need to store administrator's password in a keytab file 
on webserver. In case someone breaks into the webserver, he/she can 
easily misuse the keytab to "administer" our Kerberos accounts. That's 
what I consider insecure.

Do the K5 enabled sites administer accounts this way?

How do they create accounts for new users? Using some shell script - 
kadmin wrapper? Are there any examples of such scripts?

Thank you.

lukas

> 
> You actually tend to want this though.  At many sites it is reasonable
> for a larger set of users to go through all the steps of creating a
> properly configured account all at once than it is to allow a user to
> only go through one of the steps of account setup.  If only the web
> server is authorized to act, it can enforce constraints like this.
> 
> --Sam
> 
> 

-- 
Lukas Kubin

phone: +420596398275
email: kubin at opf.slu.cz

Information centre
The School of Business Administration in Karvina
Silesian University in Opava
Czech Republic
http://www.opf.slu.cz
-------------- next part --------------
A non-text attachment was scrubbed...
Name: kubin.vcf
Type: text/x-vcard
Size: 329 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20040823/63eceff0/attachment.vcf
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 2257 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20040823/63eceff0/attachment.bin

More information about the Kerberos mailing list