User instances

Rachel Elizabeth Dillon red at MIT.EDU
Thu Oct 21 19:45:47 EDT 2004


There are a couple of things that I havs seen as common across multiple
realms; username/admin principals tend to be principals with full 
administrative rights in kadmin, and username/root principals tend to
be principals with additional privileges you want the user to have to
remember to turn on specifically. I personally find that any other
instances tend to be mostly confusing, as the average user does not
want to have to deal with instances, but I am sure different people
have different opinions of "not ugly." If you do want to do this, 
you probably want to look at the man page for kadmind, specifically the
ACL FILE SYNTAX section, in order to determine how to give your users
the permissions you want them to have. It looks like a line like this:

username/*@REALM.COM x username/*@REALM.COM

will give users full permissions on any principals with their username,
but I recommend not just using this line for a couple of reasons:

 * You may not want them to be able to delete their own principal, which
   would just get irritating.
 * If you use the basic */admin * line which allows any principal with
   an admin instance full access to the KDC, any user with two malicious
   neurons to fire against each other can eventually figure out how to
   get an /admin principal and do nasty things.
 * If you want to manage things like password expiry, users can circumvent
   you at the KDC level.

I personally think this is a bad idea, but not knowing anything about
your situation, that judgment seems arbitrary. "What are you really
trying to do?" :)

Hope this helps,

-r.


On Thu, Oct 21, 2004 at 11:20:35PM +0200, Fredrik Tolf wrote:
> I've got three short questions about instances:
> 
> Is there a standardization for what instances mean for user principals?
> If not, would it be OK (OK as in "not ugly") to enable users to create
> new principals with their own name, but different instances? If so, is
> there a way to make the MIT KDC allow users to do this?
> 
> Thanks for your time!
> 
> Fredrik Tolf
> 
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20041021/3ac32fe7/attachment.bin


More information about the Kerberos mailing list