[Opendnssec-develop] Wild idea :- Kerberos for fine-grained control
jerry at opendnssec.org
Thu Sep 26 16:23:19 CEST 2013
On Sep 26, 2013, at 15:55 , Rick van Rein (OpenFortress) wrote:
>> Currently for 1.3/1.4 there is also the issue of file system access, the user that is performing actions needs certain kind of access to different files and that it not something Kerberos can help you with.
> You'd have to run setuid root or do what 2.0 does:
No you don't need setuid root (you should never do that). I should be possible (I have, works but not tested fully) setup OpenDNSSEC and SoftHSM usable by other account by adding them into the correct groups and making sure files stay in the right user:group and access.
>> If we want to implement something like Kerberos we first must implement multi-user access, today if you have access to OpenDNSSEC tools you can do anything. If we redesign OpenDNSSEC for a multi-user environment in the future I would rather see PAM or similar systems integrated that will give access to even more ways to authenticate users.
> The sort of things I proposed to put into the config files are, I suppose, what you mean with multi-user access. Yes, that might be difficult to do in general. In that setting, I suppose I'm proposing to not jump to the locally available Posix accounts without further thought. Many users could share a Posix account ("www-data" for instance) to get constrained access to ODS based on their Kerberos credentials.
If they are sharing an account, in what ever way, to access OpenDNSSEC then its all outside of OpenDNSSEC and there is no need for multi-user support in OpenDNSSEC.
If OpenDNSSEC supports multi-user environments with access levels then they won't need a shared account since they have the access that is defined to them in what ever way they authenticate.
Jerry Lundström - OpenDNSSEC Developer
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 625 bytes
Desc: Message signed with OpenPGP using GPGMail
More information about the Opendnssec-develop