delegating principal creation to a web process
Jason Edgecombe
jason at rampaginggeek.com
Thu Mar 20 13:52:43 EDT 2008
Hi,
We're working on creating a process that will automatically create a
kerberos principal for a user when they agree to the computer policies
on a web page.
The user will use a web link that we sent with a hashed value that will
take the user to a web page that will create their kerberos principal if
they agree to the computer usage terms.
This web page is a transition and complement to an in-house written app
that creates kerberos principals on demand when a user shows valid ID to
our helpdesk staff.
I'm looking on advice on how to best to write a system that will be run
by the web server and create the specified user account on demand and
set the password. I plan to use a custom kerberos principal for this
purpose with the right to create principals on the KDC. The only thing
that is passwd in is the username and password. I was planning on
storing this custom principals keytab in a local file. Besides having
files readable only by root and only allowing the web server user to run
the program and verifying my input. how can I keep this relatively
secure? This is a shared web server that serves php from our students
home pages, but no one besides staff members has shell access.
This seems like a simple process:
kinit with keytab
kadmin addprinc with new password
kdestroy
I'm just looking for the gotchas.
Thanks,
Jason
More information about the Kerberos
mailing list