Kerberized authorization service
Jos Backus
jos at catnook.com
Tue Feb 5 16:17:27 EST 2008
On Tue, Jan 29, 2008 at 07:40:17AM -0600, John Hascall wrote:
> We have had a simple kerberized accessd service here for almost
> 20 years now. It's some pretty ugly code, but if you wanted to
> make your own it would be about a day's project. Ours uses the
> kind of really trivial protocol one might come up with when one
> has a day to create it :)
> like:
> sendauth(as host/host.name usually) -->
> then |------ nul-terminated strings ---------|
> 2bytes-count 2bytes-opcode princ resource mode wherefrom whatcomment -->
> 2bytes-count,2bytes-replycode <-- (false/true basically)
>
> for example, sshd (via pam) might send
> ##,access,john at IASTATE.EDU,foo.iastate.edu,,bar.iastate.edu,ssh
> ksu might send:
> ##,access,john at IASTATE.EDU,foo.iastate.edu,root,ttyp6,su
> Our management system, moira, might send:
> ##,add,john at IASTATE.EDU,foo.iastate.edu,...
> delete ...
> rename ...
> and so on It also supports hierarchical lists (e.g., foo.iastate.edu
> contains foo-staff and foo-guests which contain users, etc)
>
> Resource names can be machines or printers or whatever (for example,
> we have an apache module that queries it too)
>
> Recently, I had a couple of my student employees work up a
> proof-of-concept using SAML (with a kerb auth as part of the payload)
> as the protocol -- since SAML seems like a more likely future direction
> for a standardized auth protocol than something I threw together one
> night in 1990 :)
>
> You could backend such a thing with LDAP or whatever you want
> (we use an in-core flattened double-hash structure,
> backed with a simple on-disk log-structured copy
> so that all operations are more-or-less done in small constant "O(1)" time.
You think you could make either (or both) implementations available for public
consumption? I'd love to have a look. If nothing else it sounds
battle-tested. :-)
Thanks,
--
Jos Backus
jos at catnook.com
More information about the Kerberos
mailing list