[1635] in Kerberos
Kerberos 4 Userid Administration
daemon@ATHENA.MIT.EDU (Steve Clark)
Mon Nov 11 17:14:03 1991
Date: 11 Nov 91 21:12:25 GMT
From: seclark@iscnvx.lmsc.lockheed.com (Steve Clark)
To: kerberos@shelby.Stanford.EDU
As a newcomer to Kerberos internals and understanding how to
administer/use Kerberos I need to know:
- How do sites with a large, heterogeneous, set of hosts administer
userids (Kerberos and end-hosts)?
Our userids are currently administered at the end-nodes. A userid
"smith" on host A doesn't necessarily belong to the same person
as "smith" on host B. That means if I create a Kerberos userid
"smith" which gives access to same userid name on both hosts A and B,
that I either have to:
- Change some end-node userids to ensure there is only one
real "smith". This implies alot of administrative labor
for us since we have 1,000+ nodes. Unfortunately, we
don't have a central database listing who has what userids
on what machines. Changing ids would also be an inconvenience
to users.
- Enforce the use of .klogin files for each end-node userid
under Kerberos specifying the principals allowed. This would
require changes to MIT Kerberos -- not a big problem. But, how
would I handle this when using vendor ports of Kerberos?
- Use some sort of principal/userid mapping system. It would be
nice for every employee to have a unique Kerberos userid that could
map to other userid names for accessing end-nodes. This way I would
not have to change any existing userids at the end-nodes and I
could take care of the situation where "smith" for host A should not
have access to "smith" on host B.
or
- Set up multiple realms. A given userid-name would have to belong to
the same individual across all hosts within the realm. This may be
what we have to do, but we want to minimize the number of times a
user has to log into Kerberos. The more realms we define, the more
potential Kerberos logins a user may have to make. There is still a
fair amount of administrative effort required for this option too.
Questions:
- Does the authorization model using access control lists described
in the Athena Technical Plan exist under Kerberos 4 or 5 (other than
for the .klogin file)? If so do the BSD applications under Kerberos
level 4 make use of this facility? How do I set it up and use it?
Am I restricted to the list in the .klogin file? Can a parameter be
set to require the .klogin file be used (e.g. refuse all access requests
if the file doesn't exist)? The way it seems to work by default is to
grant access if .klogin doesn't exist.
- Section 3 (Naming - Local Names) of the Athena Technical Plan hints
that the authorization name space is independent of end-hosts' username
space, but later says, "Berkeley Unix applications that are modified
to use Kerberos authentication generally support only the identity
mapping from a Kerberos principal identifier to the same Unix login name."
What exactly is the situation under Kerberos 4.9 and level 5?
- Is there any other kind of principal-name to userid mapping I can employ
under Kerberos 4 patch 9 (from MIT or other source)? If anyone out there
has implemented something in this area I'd like to know.
Thanks for your help.
================================
Steve Clark
Lockheed Missiles and Space
Sunnyvale, CA
seclark@iscnvx.lmsc.lockheed.com
================================
