[Opendnssec-develop] Wild idea :- Kerberos for fine-grained control
Rick van Rein (OpenFortress)
rick at openfortress.nl
Thu Sep 26 13:09:56 UTC 2013
I've lately been catching up on Kerberos, and found that it is incredibly powerful. It might actually be beneficial to OpenDNSSEC...
* to offload the root account
- bring limited uses of the tools down to user level -- so less need to use the PIN-owning root account
- note that OpenDNSSEC assumes that the PIN is stored in a file visible to root
- also note that many PKCS #11 libraries store the PIN in memory and send it along with every card transaction
- this could make it less scary to run the tools (indirectly) from a web environment
- this could make it less scary to run the tools in response to an SSH request
* for finer-grained access control
- who can make change X to zone Y could be configured in kasp.xml or zones.xml
- zone reloads, re-signing actions and so on might follow a similar system
- ideal for multiple-tennant systems such as in use by DNS service providers / registrants?
* for end-to-end authentication
- user's authenticity forms a chain from their local machine through to OpenDNSSEC
- Kerberos can cut through protocols like RSH, SSH, RSYNC, MOSH and even HTTP
- most web browsers support Kerberos authentication: IE, FireFox, Safari, and even Curl; unsupporting ones are rare: Opera, wget
- end-user can start their authentication chain on any system, independent of POSIX accounts, as long as "kinit" is installed
- note that arrangements for cross-realm authentication exist, so a client need not logon to OpenDNSSEC's domain to access it
* to make it fit into many environments with much grace
- Apple has it on board; you can run kinit in a shell or integrate it with the normal login process
- Windows does this all the time, when logging on to a domain (WFW or AD DC)
- Linux users just install "krb5-user" or a similar package to be able to "kinit"
- To a user, Kerberos is actually very simple… logon once a day/session and use as SSO
- Users can switch between authenticated names, or roles, e.g. rick at OPENDNSSEC.ORG vs. rick/admin at OPENDNSSEC.ORG
I can get really excited about technology I've just discovered, but this list of possibilities might be worthy of some attention to OpenDNSSEC?
More information about the Opendnssec-develop