Re: Kerberized authorization service

Hm, yes, I see where you are coming from.

I think this is an area where the OSS world has the infrastructure, but
not the details to pull off what you want. I am personally a bit loathe to
suggest adding yet another service to the mix of account management,
especially given that it's unlikely to be supported by Win/Mac any time
soon, whereas the LDAP solution is already what they do. Hence why I would
suggest something tying into that. I can see the benefit of the service
you are suggesting though.

*Diverges a bit into LDAP*
In a perfect world, I would have the machine in the LDAP tree, with
containers of some description off for various services, and/or a default.
The containers would hold a list of allow/deny groups. It would be
possible to alias groups for allow/deny lists, along with creating custom
groups just for that service on that machine if so desired.

As a simple example, the mail server could have an shell group with one
allow entry point to the 'all users' group for imap/smtp access, and shell
group with a pointer to the sysadmins group.

If this was standardized into pam_ldap, then that would utilize existing
infrastructure. If you're going to hack C code in the security libs, it
would probably be better to do it with established work, plus it would
save you writing a server. Given that GSSAPI is already support for
NSS/PAM, you could still use Kerberos to keep the data secure, and allow
machines to change thier own ACL's via their host key.


Hmm, maybe this should be a project of mine... (maybe)

On Tue, Jan 22, 2008 at 06:38:50PM +1300, Edward Murrell wrote:
Sounds like something that would be better served using LDAP groups,
that way it could hook into existing infrastructure.

Well, currently I'm using PADL's support for the pam_filter keyword in
/etc/ldap.conf but it feels like a hack. I haven't been able to figure out
how
to do this otherwise with the existing software. The O'Reilly LDAP book
makes
some suggestions in this area but they don't scale well.

However, the current PADL pam implementation (last I looked anyway)
wasn't especially brilliant at providing control for lots of hosts with
lots of users. It was possible to cobble something together
using /etc/security/access.conf, but it always felt... odd. Maybe look
into updating that?

Well, I'd rather not have to edit files on each machine as I have to do
today
(each machine will have its own customized version of ldap.conf) as it
means
that the authorization decision is no longer truly centralized.

I'm really looking for a lightweight security mechanism I can hook into
PAM: a
small client which securely connects to one of a set of authorization
servers,
passing the chosen server some data and receiving back an authorization
decision. The authorization server in turn can be very simple as it is
just a
Kerberized conduit for passing the data from the client to some backend
and
passing the backend's decision back to the client. The backend can use any
data store; I'd rather net tie it to LDAP directly as it would require me
to
mess with LDAP objects and schema's, something I'm trying to avoid.

To paraphrase, I'm looking for something akin to a Kerberized
tcpclient/tcpserver (part of djb's ucspi-tcp). That might be close enough
for
this purpose that only minor modifications would be necessary.

Cheers,
Jos

Cheers,
Edward

On Mon, 2008-01-21 at 14:36 -0800, Jos Backus wrote:

The server:
- accepts some client-generated request (containing service,
principal/username, hostname, etc.) over TCP;
- sends this data to a backend application;
- receives the response ('authorized' or 'not authorized') from the
backend;
- relays the response to the client.

The client is called by pam_exec from the account group, so it has
access to
the username; the realm could be supplied on the command line. The
client
could try multiple authorization servers to ensure availability.

The backend application could simply query a database which is
maintained by
another application (presumably with an easy to use web frontend).

Thoughts? Would I be better off using GSSAPI instead?


--
Jos Backus
jos at catnook.com


.

Relevant Pages

  • Re: Kerberized authorization service
    ... You could backend such a thing with LDAP or whatever you want ... the mail server could have an shell group with one ... While this could no doubt be made to work, it would tie the authorization ... I only have a very basic understanding of Kerberos but I'd love to help or at ...
    (comp.protocols.kerberos)
  • SUMMARY: How to authenticate a RHEL client to SunOne 5.2 Directory Server anybody done this???
    ... I got it working by running authconfig on the Linux client and selecting ... LDAP for the authentication. ... Is there anything on the LDAP server I should check?? ... # SSL enabled. ...
    (SunManagers)
  • Re: Antw: Re: LDAP Authentication Problem
    ... TLSv1 und wird auf einen SSL Client Hello Request mit TLSv1 nicht ... antworten anstatt ein SSLv3 Server Hello. ... the LDAP PAM module and the shadow package. ...
    (de.comp.sys.novell)
  • Re: TLS enabled LDAP, clients fail to connect
    ... Is the server cert trusted on the client? ... openldap-sasl-client-2.4.23 Open source LDAP client implementation ... setup a similar SSL enabled LDAP server for a client recently. ...
    (freebsd-questions)
  • Re: Kerberized authorization service
    ... whereas the LDAP solution is already what they do. ... the mail server could have an shell group with one ... While this could no doubt be made to work, it would tie the authorization ... This client and server could conceivably be created ...
    (comp.protocols.kerberos)