delegating principal creation to a web process
Simon Wilkinson
simon at sxw.org.uk
Thu Mar 20 14:44:49 EDT 2008
On 20 Mar 2008, at 17:52, Jason Edgecombe wrote:
> We're working on creating a process that will automatically create a
> kerberos principal for a user when they agree to the computer policies
> on a web page.
We do this, although probably in a less restricted fashion than you
desire.
Our 'Friend' scheme for electronic visitor accounts uses a KDC to
store the passwords for these accounts (this has the advantage that
both 'friend' and 'normal' accounts are backended by the same
authentication technology - and lets us use credential delegation in
services designed for both classes of users). You can have a look at
the public facing portions of it at https://ifriend.inf.ed.ac.uk/
> I'm looking on advice on how to best to write a system that will be
> run
> by the web server and create the specified user account on demand and
> set the password. I plan to use a custom kerberos principal for this
> purpose with the right to create principals on the KDC. The only thing
> that is passwd in is the username and password. I was planning on
> storing this custom principals keytab in a local file. Besides having
> files readable only by root and only allowing the web server user
> to run
> the program and verifying my input. how can I keep this relatively
> secure?
remctl is your friend for this kind of priviledge delegation task.
You can use it to front kadmin, and it will give you far more
powerful ACL and data validation rules than kadmin supports.
> This is a shared web server that serves php from our students
> home pages, but no one besides staff members has shell access.
The main thing you have to consider is how to restrict access to the
creation script such that it can only be run by the webserver (and
not by any of your students PHP scripts). You also have to make sure
that the script can only be invoked from the correct start page -
CSRF attacks are incredibly insidious, and very damaging to this sort
of application. It's not clear from your description how you check
that the script is creating the 'correct' account name for a
particular user - nor how you protect against denial of service
attacks, or attacks which create 'magic' account names (root, <blah>/
admin, anything else your site has in a wildcard)
Hope that helps,
Simon.
More information about the Kerberos
mailing list