UI for Kerberos accounts administration

Sam Hartman hartmans at MIT.EDU
Mon Aug 23 08:01:06 EDT 2004 

>>>>> "Lukas" == Lukas Kubin <kubin at opf.slu.cz> writes:

    Lukas> Sam Hartman wrote:
    >>>>>>> "Lukas" == Lukas Kubin <kubin at opf.slu.cz> writes:
    Lukas> I'm planning to build an web interface for administering
    Lukas> our Kerberos/OpenAFS/LDAP accounts.  How should I pass
    Lukas> credentials to the web service? I can use the mod_auth_kerb
    Lukas> module for Apache. Then some wrapper script will call
    Lukas> kadmin command. When I want kadmin not to ask for password
    Lukas> everytime it is called, I'll have to create an
    Lukas> administrator's keytab stored on the webserver. That way
    Lukas> appear not to be secure.  Why is this not secure?  It
    >> places your web service in the role as a privilege delegation
    >> service rather than as acting as the user directly.

    Lukas> In this design I need to store administrator's password in
    Lukas> a keytab file on webserver. In case someone breaks into the
    Lukas> webserver, he/she can easily misuse the keytab to
    Lukas> "administer" our Kerberos accounts. That's what I consider
    Lukas> insecure.

OK, so in another design, they need to break into the web server and
modify a binary to grab the password of the next administrator to use
the system.

Most of us have found that having the web server be a privilege
delegation service and be able to enforce additional checks on account
creation etc is worth the difference in cost between these two
approaches.


    Lukas> Do the K5 enabled sites administer accounts this way?

Many do.

Sites like MIT and CMU have administration servers that accept
requests for account creation, update, etc from support staff and
proxy them to the administration services.

These systems tend to be database backed, very complicated , fairly
custom, and under documented.  Some of them are semi-public in that
the sources are available and the license is reasonable.  If you
managed to find the sources and get it all working you could use it.  

You might take a look at http://www.hurderos.org/ I think that their
focus is somewhat different but that they may end up solving some of
the same usability problems you're looking at.


--Sam

More information about the Kerberos mailing list