delegating principal creation to a web process

Simon Wilkinson simon at sxw.org.uk
Fri Mar 21 05:19:08 EDT 2008


On 21 Mar 2008, at 01:36, Jason Edgecombe wrote:
>>
> The script will check that the user is in the /etc/password file. The
> keytab will only have privileges to add accounts, so existing accounts
> like admin/root are safe.

Bear in mind that if you wildcards anywhere in your ACLs, you don't  
just care about existing accounts, but also about creating new  
accounts that may match existing wildcards.

> How would remctl give me more security in this arrangement?

It lets you protect the access to your kadmind better, by allowing  
you to do all of the sanity checking at the point of privilege  
escalation.

In your current model, anyone who has access to the keytab on your  
web server machine (which probably means anyone who can execute  
scripts on your web server), can bypass the sanity checking that your  
script performs. If you use remctl, then the web server machine  
purely has a keytab that lets it talk to remctl, which then performs  
sanity checking before passing the request on to the kadmind. In that  
way, you can guarantee that any request _must_ have been sanity  
checked in order to reach kadmind.

Simon.



More information about the Kerberos mailing list