[Macpartners] authentication->loginhook->authorization

Kerem B Limon k_limon at MIT.EDU
Fri Jun 10 14:37:28 EDT 2005 

One more comment re- your comments way below...one problem with your interim
loginhook is potentially a security one. Part of the point of the directory
services lookup is not just to determine user's account metadata (home
directory, UID, etc.), but also act as a means to *authorize* them (or not) to
login to the machine (since Kerberos is doing the *authentication*, and
authorization and directory services are two other separate parts of the login
process).

If you have a mechanism by which you are creating local directory entries on the
fly to anyone (without doing a directory lookup to see if they even exist in
the directory store you wish to reference), you're sort of 'fudging' the
authorization step by accepting the issue of a valid Kerberos ticket as
authorization. I cannot think of a particular exploit right off the top, but it
sounds...wrong.

BTW, Eric--what are our chances of getting Apple to put cross-realm Kerberos
support into the AD plug-in (in this century, that is)?

-Kerem


Quoting Duncan Kincaid <dsk at MIT.EDU>:

> a (silly?) question:
> has anyone succeeded in having a loginhook script run BEFORE a 
> directory services lookup is executed during login sequence?
> 
> thanks
> dk
> 
> reason for question below (if interested):
> 
> objective: have any athena user login to our 'macathenised' macs 
> without our having to provide LDAP directory services. (there is no OS 
> X Directory Access plug-in for moira... yet... ever?)
> 
> plan: user authenticates against KDC, then loginhook shell script runs 
> which creates user's netinfo record on the fly, then login continues by 
> accessing the just created local netinfo record and completes.
> 
> thought this might work given loginwindow documentation. but doesn't 
> seem to.
> in particular, it appears loginhook simply does not run unless the mac 
> can find a netinfo (or LDAP, i.e. Directory Services) entry for the 
> user logging in. in other words, contrary to my understanding, 
> loginwindow executes a directory services lookup immediately following 
> authentication THEN runs loginhook if user record found. i suppose this 
> perfectly reasonable, but no less disappointing.
> 
> any ideas as to how i might get a script running AFTER user 
> authenticates, but BEFORE loginwindow's directory services lookup would 
> be most welcome.
> 
> [the aforementioned loginhook shell script grabs the username, gets the 
> user's uid with a 'pts examine', and calculates the athena home 
> directory.
> then builds a local netfino record for user (if one doesn't already 
> exist) using niutil]
> 
> OS X 10.3.9
> 
> _______________________________________________
> Macpartners mailing list
> Macpartners at mit.edu
> http://mailman.mit.edu/mailman/listinfo/macpartners
> 


Kerem B. Limon
kerem.limon at mit.edu /e-mail

More information about the Macpartners mailing list