Tying user keytabs to IPs?

g.w@hurderos.org g.w at hurderos.org
Sat Mar 12 09:52:58 EST 2005


On Mar 4,  8:53pm, K. Bruner wrote:
} Subject: Tying user keytabs to IPs?

Good morning to everyone, hope the week went well.

> We are investigating using Kerberos authentication with Oracle.  We have
> one Oracle application username that needs to connect from scripts from a
> couple of machines, but we don't want to hardcode the Oracle (or any) 
> password into the scripts.  I haven't been able to find a way to tie a
> user keytab to just one machine, so my understanding is that the keytab
> could be copied to other machines, and since the KDC/TGS can't disallow
> based on IP, we can't prevent keytab proliferation.
> 
> Is there something I'm missing?  I don't supposed I can wrap the KDC in
> TCP wrappers....  IP-based authorization from Oracle has apparently been
> problematic for us in the past.
> 
> One other possibility is that because we're running the KDC on linux, we
> could just IP tables to allow Kerberos connections only from certain
> hosts.

Since you are talking about a user keytab it would seem that you are
going to use a model where a keytab is used to authenticate a request
for a service ticket to Oracle.  If that is indeed the case you are
correct in the concern that wherever the keytab is a service request
can come from.

As is typically the case of late you are as concerned with answering
an authorization question as you are an authentication question.  The
party line on this is that Kerberos is about authentication not
authorization.  Unfortunately the 'real world' is as much or more
about authorization as it is authentication.  Equally unfortunate is
that there seems to be little focus on this outside the realm of
proprietary software.

I assume you are using MIT Kerberos on Linux.  If so you may want to
grab the 0.1.3 release of Hurderos for the Kerberos plugin patches.
These implement an extension architecture which should provide you
with the basic foundation facilities needed to implement authorization
of authentication requests by IP address.

You will need to roll a bit of code but it will be straight forward.
I can give you a few suggestions if you are interested in moving
forward.  I can also send you my current plug-in patches which address
a number of issues that are outstanding in the 0.1.3 patchset.

Good luck with your project, best wishes for a nice weekend.

Greg

}-- End of excerpt from K. Bruner

As always,
Dr. Greg 'GW' Wettstein
------------------------------------------------------------------------------
                         The Hurderos Project
         Open Identity, Service and Authorization Management
                       http://www.hurderos.org


More information about the Kerberos mailing list