[29187] in Kerberos
Re: Kerberized authorization service
daemon@ATHENA.MIT.EDU (Jos Backus)
Tue Feb 5 16:17:53 2008
Date: Tue, 5 Feb 2008 13:17:27 -0800
From: Jos Backus <jos@catnook.com>
To: kerberos@mit.edu
Message-ID: <20080205211727.GB93626@lizzy.catnook.local>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <21823.1201614017@malison.ait.iastate.edu>
Reply-To: jos@catnook.com
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Tue, Jan 29, 2008 at 07:40:17AM -0600, John Hascall wrote:
> We have had a simple kerberized accessd service here for almost
> 20 years now. It's some pretty ugly code, but if you wanted to
> make your own it would be about a day's project. Ours uses the
> kind of really trivial protocol one might come up with when one
> has a day to create it :)
> like:
> sendauth(as host/host.name usually) -->
> then |------ nul-terminated strings ---------|
> 2bytes-count 2bytes-opcode princ resource mode wherefrom whatcomment -->
> 2bytes-count,2bytes-replycode <-- (false/true basically)
>
> for example, sshd (via pam) might send
> ##,access,john@IASTATE.EDU,foo.iastate.edu,,bar.iastate.edu,ssh
> ksu might send:
> ##,access,john@IASTATE.EDU,foo.iastate.edu,root,ttyp6,su
> Our management system, moira, might send:
> ##,add,john@IASTATE.EDU,foo.iastate.edu,...
> delete ...
> rename ...
> and so on It also supports hierarchical lists (e.g., foo.iastate.edu
> contains foo-staff and foo-guests which contain users, etc)
>
> Resource names can be machines or printers or whatever (for example,
> we have an apache module that queries it too)
>
> Recently, I had a couple of my student employees work up a
> proof-of-concept using SAML (with a kerb auth as part of the payload)
> as the protocol -- since SAML seems like a more likely future direction
> for a standardized auth protocol than something I threw together one
> night in 1990 :)
>
> You could backend such a thing with LDAP or whatever you want
> (we use an in-core flattened double-hash structure,
> backed with a simple on-disk log-structured copy
> so that all operations are more-or-less done in small constant "O(1)" time.
You think you could make either (or both) implementations available for public
consumption? I'd love to have a look. If nothing else it sounds
battle-tested. :-)
Thanks,
--
Jos Backus
jos at catnook.com
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
