delegating principal creation to a web process

Jason Edgecombe jason at rampaginggeek.com
Thu Mar 20 21:36:50 EDT 2008


Russ Allbery wrote:
> Simon Wilkinson <simon at sxw.org.uk> writes:
>
>   
>> It's not clear from your description how you check that the script is
>> creating the 'correct' account name for a particular user - nor how you
>> protect against denial of service attacks, or attacks which create
>> 'magic' account names (root, <blah>/ admin, anything else your site has
>> in a wildcard)
>>     
>
> http://www.eyrie.org/~eagle/software/kadmin-remctl/ may be helpful in that
> respect.
>
>   
The script will check that the user is in the /etc/password file. The 
keytab will only have privileges to add accounts, so existing accounts 
like admin/root are safe.

How would remctl give me more security in this arrangement? The key 
issue seems to be protecting the keytab, verifying the url used, and 
validating the request for the a valid username to create.

Jason



More information about the Kerberos mailing list