LCFG Profile Security Project

May 17, 2018

In the LCFG installer we have previously only needed to prompt the administrator for a Kerberos principle and password when using the kdcregister tool. With a switch to GSSAPI authentication for LCFG profile fetching we now need the administrator to also authenticate for that purpose. Everyone knows that system administrators are busy people who really don’t want to be prompted twice for the same principle/password so we need to avoid that if at all possible. For most services once the user has authenticated and acquired a ticket granting ticket (TGT) they don’t need to authenticate again but kdcregister needs a kadmin/admin ticket which causes us a slight problem as it typically (depending on site policy) cannot be acquired using the TGT. This is a deliberate security measure to make it harder to become an admin user with enhanced privileges to modify entries in the KDC. The simple solution taken for the LCFG installer is to prompt the user for principle and password and then use them behind the scenes to authenticate twice using kinit in slightly different ways using two different credential cache files. As we have to do a number of LCFG profile fetches the KRB5CCNAME environment variable gets set to the path to the credentials cache which holds the TGT so all profile fetches (and anything else which might need it) will just work. For this to work with the kdcregister tool the code had to be modified (see bug#1068 for details) to support a new command line option so that the path to the credentials cache can be specified. Previously kdcregister has always used the default credentials cache which was either the path in KRB5CCNAME or whatever the krb5.conf had specified. With those modifications in place the LCFG installer is now fully ready for fetching LCFG profiles in a secure way which doesn’t require any extra authentication steps for administrators. For this part of the project to be totally completed there are still quite a few resource changes which need to be pushed out over the next few weeks but those can only happen once sites have deployed new installer images.