[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: special principals handling

Brandon S. Allbery KF8NH a écrit :
> On Feb 1, 2008, at 9:14 , Guillaume Rousse wrote:
>> Second, our usual policy is to grant admins all authorisations with
>> their standard accounts (through sudo, or ldap group ACLs, for
>> instance), so as to avoid keeping trace of shared passwords. It seems
>> the usual kerberos practice is to create additional principal with a
>> 'admin' instance for admins, but this constitute two different accounts.
>> Is there any way to automatically sync 'foo@REALM' with
>> 'foo/admin@REALM' for this purpose ? Or is it really a bad practice to
>> grant all powers to 'foo@REALM' ?
> Minimal privilege is a very good idea in general, to help avoid mistakes
> and to make it easier to test things (if your normal account has full
> privileges, you have to use someone else's account to test and debug
> privilege/permission-related issues).  This is also why it's a bad idea
> to do everything on Unix as root or on Windows as Administrator, etc.
But using a single privilegied entity for a group of people requires to
share secrets (aka root password), which is also a bad idea, and doesn't
allow individual action tracability. Sudo is the perfect tool for
allowing controlled privilege escalation without duplicating accounts.
I'm just trying to achieving the same here with kerberos if possible.
Forcing foo/admin principal passwd to be synced with foo principal would
be a solution, for instance.

Guillaume Rousse
Moyens Informatiques - INRIA Futurs
Tel: 01 69 35 69 62