[Opendnssec-develop] Wild idea :- Kerberos for fine-grained control

Jerry Lundström jerry at opendnssec.org
Thu Sep 26 15:43:13 CEST 2013


Hi,

On Sep 26, 2013, at 15:09 , Rick van Rein (OpenFortress) wrote:

> I've lately been catching up on Kerberos, and found that it is incredibly powerful.  It might actually be beneficial to OpenDNSSEC...


This is really a wild idea.

At first glance, I think you may be misunderstanding what Kerberos actually is. It will authenticate a user in a very secure way but it does not handles access control in the way you describe in some of the suggestions.

Currently for 1.3/1.4 there is also the issue of file system access, the user that is performing actions needs certain kind of access to different files and that it not something Kerberos can help you with.

For 2.0 we will have a clear separation of the file level access between the user and daemon by doing almost everything via UNIX sockets but I don't see a real use of Kerberos here.

If we want to implement something like Kerberos we first must implement multi-user access, today if you have access to OpenDNSSEC tools you can do anything. If we redesign OpenDNSSEC for a multi-user environment in the future I would rather see PAM or similar systems integrated that will give access to even more ways to authenticate users.

/Jerry

--
Jerry Lundström - OpenDNSSEC Developer
http://www.opendnssec.org/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 625 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <https://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20130926/3ef3a6db/attachment.sig>


More information about the Opendnssec-develop mailing list