tech-security archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Going LDAP #2



On Wed, Jun 18, 2008 at 11:54 AM, Anders Magnusson 
<ragge%ludd.ltu.se@localhost> wrote:
> Thor Lancelot Simon wrote:
>> On Mon, May 26, 2008 at 08:01:54PM +0200, Anders Magnusson wrote:
>>
>>>         xxinit -c (client)
>>>                 - Asks about the master machine and root password for it.
>>>                   This will get the configuration for the domain out
>>>                   of ldap and fetch a machine key.
>>>
>>
>> What is the "it" here?  If "it" means the master machine, so the LDAP
>> server and KDC's root password would have to be entered into each client
>> when that client is initialized, I really, *really* don't like this.
>>
> This should be read "principal that can extract a host keytab" for the
> client.
> Which may or may not be root, depending of how the system is configured.

Can we make it really, really difficult to be root?  This seems like a
pretty easy default to set as non-root (and document as such).  Am I
missing something?

Ideally, I'd like it to be an account that only has the permission to
do what is necessary for the final step of setting up clients:  the
situation would be a helpdesk setting up client machines for a
specific user.  It doesn't seem too onerous to make this default?

-=erik.

>
> -- Ragge
>



-- 
"Too bad $VOLUNTEERS don't get their act together and provide
$SOLUTION_TO_VERY_DIFFICULT_PROBLEM in a decent fashion" -- from IRC,
#netbsd, EFNet


Home | Main Index | Thread Index | Old Index