delegating principal creation to a web process
Simon Wilkinson
simon at sxw.org.uk
Fri Mar 21 05:19:08 EDT 2008
On 21 Mar 2008, at 01:36, Jason Edgecombe wrote:
>>
> The script will check that the user is in the /etc/password file. The
> keytab will only have privileges to add accounts, so existing accounts
> like admin/root are safe.
Bear in mind that if you wildcards anywhere in your ACLs, you don't
just care about existing accounts, but also about creating new
accounts that may match existing wildcards.
> How would remctl give me more security in this arrangement?
It lets you protect the access to your kadmind better, by allowing
you to do all of the sanity checking at the point of privilege
escalation.
In your current model, anyone who has access to the keytab on your
web server machine (which probably means anyone who can execute
scripts on your web server), can bypass the sanity checking that your
script performs. If you use remctl, then the web server machine
purely has a keytab that lets it talk to remctl, which then performs
sanity checking before passing the request on to the kadmind. In that
way, you can guarantee that any request _must_ have been sanity
checked in order to reach kadmind.
Simon.
More information about the Kerberos
mailing list