[555] in Kerberos
person.root naming convention
daemon@TELECOM.MIT.EDU (Jerome H. Saltzer)
Thu Dec 15 23:22:03 1988
To: kfall@OKEEFFE.BERKELEY.EDU (Kevin Fall)
Cc: Kerberos Users <kerberos@ATHENA.MIT.EDU>
In-Reply-To: kfall@okeeffe.Berkeley.EDU (Kevin Fall)'s message of Thu, 15 Dec 88 14:08:19 PST
From: Jerome H. Saltzer <Saltzer@ATHENA.MIT.EDU>
> I am actually sort of curious why the convention at Athena has become
> person.root for a 'more priviledged version' of person. It seems to
> me that for the super-user of a given machine, you really want
> something more like root.machine1, root.machine2.
The convention was created to accomplish two goals simultaneously:
- accountability and control on who may use root privileges
- making sure that you are able to exercise those privileges
only at times you want them.
The accountability part comes from use of the /.klogin file as an
access control list on who may rlogin as root on any given system.
The administrator for machine1 may place any Kerberos principal name
in machine1:/klogin; rlogin as root on machine1 won't work unless the
principal name in the ticket you present is in that list. Whenever a
root rlogin occurs the principal name that matched the list entry
gets logged. Finally, as Bill Sommerfeld pointed out, all that
machine1's system administrator need do to ungrant this ability is to
remove your principal name from machine1's /.klogin file. The
administrator for machine2 can choose a separate list of Kerberos
principal names for the /.klogin there.
The system administrator could put your regular principal ID in that
/.klogin file, and you would have the root privileges only when you
actually performed the rlogin to that system (and to any other that
lists you). But then any time you walked away from your workstation
to answer the phone you would be exposing not only your own things to
someone who wandered by, you might also be exposing the ability to
login as root on someone else's system. Thus the notion that you can
have multiple identities, each with a distinct password, and that the
system administrator who grants you root login ability lists an
identity that you associate with being careful, such as the one named
"yourname.root".
Jerry Saltzer
