delegating principal creation to a web process
Jason Edgecombe
jason at rampaginggeek.com
Thu Mar 20 21:36:50 EDT 2008
Russ Allbery wrote:
> Simon Wilkinson <simon at sxw.org.uk> writes:
>
>
>> It's not clear from your description how you check that the script is
>> creating the 'correct' account name for a particular user - nor how you
>> protect against denial of service attacks, or attacks which create
>> 'magic' account names (root, <blah>/ admin, anything else your site has
>> in a wildcard)
>>
>
> http://www.eyrie.org/~eagle/software/kadmin-remctl/ may be helpful in that
> respect.
>
>
The script will check that the user is in the /etc/password file. The
keytab will only have privileges to add accounts, so existing accounts
like admin/root are safe.
How would remctl give me more security in this arrangement? The key
issue seems to be protecting the keytab, verifying the url used, and
validating the request for the a valid username to create.
Jason
More information about the Kerberos
mailing list