Russ Allbery wrote: > Simon Wilkinson <[EMAIL PROTECTED]> writes: > > >> It's not clear from your description how you check that the script is >> creating the 'correct' account name for a particular user - nor how you >> protect against denial of service attacks, or attacks which create >> 'magic' account names (root, <blah>/ admin, anything else your site has >> in a wildcard) >> > > http://www.eyrie.org/~eagle/software/kadmin-remctl/ may be helpful in that > respect. > > The script will check that the user is in the /etc/password file. The keytab will only have privileges to add accounts, so existing accounts like admin/root are safe.
How would remctl give me more security in this arrangement? The key issue seems to be protecting the keytab, verifying the url used, and validating the request for the a valid username to create. Jason ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
