Re: Going LDAP #2

[Roland Dowdeswell <elric%imrryr.org@localhost>]

On 1214696693 seconds since the Beginning of the UNIX epoch
Thor Lancelot Simon wrote:
>
>On Sat, Jun 28, 2008 at 10:55:40PM +0200, Anders Magnusson wrote:
>[I wrote]
>> > I think that this is all quite architecturally wrong.  It should not be
>> > done by pull -- much less by pull *as root* from the KDC -- it should be
>> > done by push.
>> > 
>> Eh, are you complaining about how Kerberos works, or what?
>
>No, I'm complaining about imposing one particular model of how to
>configure Kerberos hosts on NetBSD users as the norm, when that model
>is a particularly insecure one.

Typically, in a Kerberos Realm you do not define ``root'' at all.
Root passwds are used for console access to individual hosts.
Administrators are given root accounts via the convention
<user>/root%REALM.TLA@localhost and which administrator can login as root to
which box is specified in ~root/.k5login.  So there should be no
real ``root'' user.

For access to kadmind, the convention is <user>/admin%REALM.TLA@localhost
and the rights of each administrator are defined in
/var/heimdal/kadmind.acl.  It's not particularly inappropriate to
use <user>/root principals in there, if you want to but it does go
against the grain a little bit to share a single root or admin
passwd amongst many different people.

I would suggest that any tooling should even in the case where
there is a single administrator:

        1.  explain the conventions, and

        2.  create a <user>/root%REALM.TLA@localhost Kerberos principal
            rather that a ``root'' principal.

This encourages good behaviour, allows for expansion of the group
of administrators without modification and educates the userbase
about how things should work in the case that they add an administrator.

--
    Roland Dowdeswell                      http://www.Imrryr.ORG/~elric/