[Opendnssec-develop] Wild idea :- Kerberos for fine-grained control

Rick van Rein (OpenFortress) rick at openfortress.nl
Thu Sep 26 13:55:54 UTC 2013


> This is really a wild idea.

I know… but setting an ideal future can be helpful to give a direction to a project.

> At first glance, I think you may be misunderstanding what Kerberos actually is. It will authenticate a user in a very secure way but it does not handles access control in the way you describe in some of the suggestions.

I know.  Usually, authorization (access control) is setup within an application based on the authenticated identity provided by, in this case, Kerberos.  For example, the ~/.k5login file does to Kerberised RSH what .ssh/authorized_keys does to SSH.

> Currently for 1.3/1.4 there is also the issue of file system access, the user that is performing actions needs certain kind of access to different files and that it not something Kerberos can help you with.

You'd have to run setuid root or do what 2.0 does:

> For 2.0 we will have a clear separation of the file level access between the user and daemon by doing almost everything via UNIX sockets but I don't see a real use of Kerberos here.

So that's a -1 from you.

> If we want to implement something like Kerberos we first must implement multi-user access, today if you have access to OpenDNSSEC tools you can do anything. If we redesign OpenDNSSEC for a multi-user environment in the future I would rather see PAM or similar systems integrated that will give access to even more ways to authenticate users.

The sort of things I proposed to put into the config files are, I suppose, what you mean with multi-user access.  Yes, that might be difficult to do in general.  In that setting, I suppose I'm proposing to not jump to the locally available Posix accounts without further thought.  Many users could share a Posix account ("www-data" for instance) to get constrained access to ODS based on their Kerberos credentials.

PAM is a more general solution because it does Kerberos and much more as well.  Perfect.  I will still see an opening to put Kerberos in though, and will probably look make sure it remains possible.


More information about the Opendnssec-develop mailing list