next up previous contents
Next: Functions Up: Kerberos Administration System KADM5 Previous: Error Codes   Contents


Authentication and Authorization

Two Kerberos principals exist for use in communicating with the Admin system: kadmin/admin and kadmin/changepw. Both principals have the KRB5_KDB_DISALLOW_TGT_BASED bit set in their attributes so that service tickets for them can only be acquired via a password-based (AS_REQ) request. Additionally, kadmin/changepw has the KRB5_KDB_PWCHANGE_SERVICE bit set so that a principal with an expired password can still obtain a service ticket for it.

The Admin system accepts requests that are authenticated to either service principal, but the sets of operations that can be performed by a request authenticated to each service are different. In particular, only the functions chpass_principal, randkey_principal, get_principal, and get_policy can be performed by a request authenticated to the kadmin/changepw service, and they can only be performed when the target principal of the operation is the same as the authenticated client principal; the function semantics descriptions below give the precise details. This means that administrative operations can only be performed when authenticated to the kadmin/admin service. The reason for this distinction is that tickets for kadmin/changepw can be acquired with an expired password, and the KADM system does not want to allow an administrator with an expired password to perform administrative operations on arbitrary principals.

Each Admin API operation authenticated to the kadmin/admin service requires a specific authorization to run. This version uses a simple named privilege system with the following names and meanings:

Get
Able to examine the attributes (NOT key data) of principals and policies.
Add
Able to add principals and policies.
Modify
Able to modify attributes of existing principals and policies; this does not include changing passwords.
Delete
Able to remove principals and policies.
List
Able to retrieve a list of principals and policies.
Changepw
Able to change the password of principals.
Setkey
Able to set principal keys directly.

Privileges are specified via an external configuration file on the Kerberos master server.

Table 3 summarizes the authorization requirements of each function. Additionally, each API function description identifies the privilege required to perform it. The Authorization checks only happen if you are using the RPC mechanism. If you are using the server-side API functions locally on the admin server, the only authorization check is if you can access the approporiate local files.


next up previous contents
Next: Functions Up: Kerberos Administration System KADM5 Previous: Error Codes   Contents
Autobuild 2006-06-16