Kerberized authorization service
John Hascall
john at iastate.edu
Mon Feb 11 11:09:56 EST 2008
> Let's take two real world counter-examples: the AFS PTS server, and
> John Hascall's double-secret authz server (Stanford's wallet might
> be another example, but I don't know enough about it to say so
> let's not bring that into the mix right now).
> Both services work in roughly the same way: you send them an identity
> which you have derived from your authentication service (Kerberos in
> both cases) and the service responds with what you are allowed to
> do. In the AFS PTS server's case you get a set of groups that the
> identity belongs to which are used by the AFS fileserver to determine
> permissions based on ACLs stored on directories. In the Hascall
> double-secret authz server you get a "yes/no" answer regarding access
> to a particular service (John, if I've got this wrong, please correct me).
That's correct.
To accessd: ticket, op, principal, object, mode, where-comment, by-comment
Sent back: yes/no/error
The ticket is who is making the request (e.g., the print server
or host/host.name for a login request).
Op is access (or deaccess(logout), or add/delete/rename/etc)
mode says how object is to be accessed (we use it for "su" for example)
The last two are just for accessd's log, which might be
semi-instructive:
<date> I,print.print-2 at IASTATE.EDU authenticated (v4) on connection 6.
\__princ of ticket \__ugh
<date> a,john,du245-lj4.printer,,malison.its.iastate.edu,Print,ok
| | | / | | |
op | object mode where-comment by-comment answer
principal (might be telnet, ssh, su,
ftp, a cgi-program, etc)
I think this has all the elements Jeff thought were essential
except for:
1) a text reason for no <-- not seeing what you would say -- "no means no"?
2) optional group info <-- we've never seen the need, but one could
certainly add a send-me-groups opcode as it
knows that info
John
More information about the Kerberos
mailing list