You can become a CTA administrator by setting your local username to that of a CTA administrator and then using ANY valid krb5 ticket
Hi Michael,
There is something wrong with how the CTA front-end is authenticating krb5 admin users. I can incorrectly become a CTA administrator if I:
- Setting my local username to a user on the CTA administrator list
- Run kinit with ANY valid krb5 ticket. The ticket does NOT have to be that of a user on the CTA administrators list.
EXAMPLE
My local unix username is: smurray
[itctabuild02] ~ > whoami
smurray
[itctabuild02] ~ >
However I my default krb5 principal is: ctaadmin1@TEST.CTA
[itctabuild02] ~ > klist
Ticket cache: FILE:/tmp/krb5cc_19214
Default principal: ctaadmin1@TEST.CTA
Valid starting Expires Service principal
01/03/2018 23:50:53 01/04/2018 23:50:53 krbtgt/TEST.CTA@TEST.CTA
01/03/2018 23:51:04 01/04/2018 23:50:53 cta-frontend/itctabuild02.cern.ch@TEST.CTA
[itctabuild02] ~ >
Only krb5 authenticated users listed by the cta-admin admin ls
command should be able to run cta-admin
commands. However here is the krb5 authenticated user ctaadmin1@TEST.CTA
ironically listing the only current CTA administrator: smurray
[itctabuild02] ~ > date; cta-admin admin ls
Wed Jan 3 23:54:53 CET 2018
smurray smurray itctabuild02 Wed Jan 3 21:25:28 2018 smurray itctabuild02 Wed Jan 3 21:25:28 2018 Boostrap admin user
[itctabuild02] ~ >
The CTA xrootd logs confirm that the authenticated user is: ctadmin1
[itctabuild02] ~ > tail -f /var/log/cta/cta-frontend-xrootd.log
...
180103 23:54:53 28379 XrootdXeq: smurray.28515:31@itctabuild02 pvt IP46 login as ctaadmin1
180103 23:54:53 28379 XrootdXeq: smurray.28515:31@itctabuild02 disc 0:00:00
Please note that you cannot trust the smurray
username sent by the client, only the authenticated krb5 username can be used.
Please could you find the cause of the problem and make the necessary fix.
Thank you in advance.
Cheers,
Steve