User instances

Rachel Elizabeth Dillon red at MIT.EDU
Wed Oct 27 14:56:33 EDT 2004


On Wed, Oct 27, 2004 at 07:54:45PM +0200, Fredrik Tolf wrote:
> Is there no way to just add one single general rule to cover all users,
> analogous to filename matching in Makefiles? That is, something like
> this:
> 
> %/admin at REALM.COM x %/*@REALM.COM
> 
> Where, as in make, `%' would have to match the same thing in both
> places?
> 
> It's not that it would be a problem to add every user manually, but I
> guess it would be better if I didn't have yet another step to take when
> I want to add a user.

The manpage for kadmind does not suggest that any such rule exists. It
might be a convenient thing to add in, or it might exist in the source 
but not be documented; I don't know. I expect it doesn't, but that's
just a guess.  
 
> > will give users full permissions on any principals with their username,
> > but I recommend not just using this line for a couple of reasons:
> > [snip]
> >  * If you want to manage things like password expiry, users can circumvent
> >    you at the KDC level.
> 
> Is there no way to force a certain policy onto principals?

You absolutely can! You can make username/cron whatever policy you want.
But if username/admin has administrative privileges on username/cron,
then username/admin can just take that policy away. :) I _think_ that you
can give users adMcil permissions rather than x and be safe from this,
but I haven't actually tried. (This gives them the ability to do everything
except modify principals, so that whatever rules you put in place will
stick.)
 
> > I personally think this is a bad idea, but not knowing anything about
> > your situation, that judgment seems arbitrary. "What are you really
> > trying to do?" :)
> 
> It's mainly that I want users to be able to create principals for
> automatic usage, like username/cron or username/gdm-autologin or the
> like (you know, create a principal with -randkey and storing it in a
> keytab for program that need to setuid without password). I'm going to
> be switching to NFSv4 in a while, and it would be a pity if people
> couldn't have cron jobs anymore just because they wouldn't have access
> to their own home directories...
> It's really just a home network, not a production site or anything, but
> we use Kerberos extensively for SSO and I really just want to solve all
> the problems I come across canonically, or I'd think bad of myself. :-)
> For example, my sisters like to have gdm log them in automatically (so
> that they don't have to type their passwords), and thus I need some
> extra principals to do that job. Likewise with cron.

So the solution I would suggest is sketchy in a different way :) I personally,
maybe because I often work with users who I do not trust not to eat their
own hands, would be very loath to give anyone any sort of access to the kdc
or kadmin interface that they do not specifically need. So probably I would
make each user a username/daemon principal, put it in their home directory
with permissions set to 400, and use that for cron, login, etc. This does mean
that the same principal has a lot of power, but it only has as much power as 
that user does, which doesn't seem like too much of a risk. And in some ways
it is probably easier to keep track of. 

That said, I _think_ you can do it your way and be OK, though I haven't
tested it. 

> Thanks for replying!

Best of luck :)

-r.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20041027/10c4c297/attachment.bin


More information about the Kerberos mailing list