Running KDC as non-root and dockerize KDC

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

Running KDC as non-root and dockerize KDC

Yegui Cai
Hi all.

This can be two threads but I have the following two questions at the same
time.
1. Can we run KDC as a non-root user? Meaning is it required to run KDC as
root?
2. Is there any official docker images for KDC? or any plan to have one?

Thanks!
Yegui
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Running KDC as non-root and dockerize KDC

Robbie Harwood
Yegui Cai <[hidden email]> writes:

> Hi all.
>
> This can be two threads but I have the following two questions at the
> same time.
>
> 1. Can we run KDC as a non-root user? Meaning is it required to run KDC as
> root?

The KDC and kadmin want several low-number ports, including 88, 749, and
possibly 754.  They also need permissions set up correctly in order to
access the datastore.  Modifying these permissions requires some care to
avoid circumventing any additional protections your system may already
have (e.g., Selinux).  I'm not aware of other potential issues.

> 2. Is there any official docker images for KDC? or any plan to have
> one?

The FreeIPA project has container images for the server:
https://www.freeipa.org/page/Docker (note that this includes more than
just a KDC, though).

I'm not aware of anyone else distributing images, but there's nothing
that stops you from setting it up in a container.

Thanks,
--Robbie

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos

signature.asc (847 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Running KDC as non-root and dockerize KDC

Jim Shi
In reply to this post by Yegui Cai


> On Jan 4, 2019, at 6:55 AM, Yegui Cai <[hidden email]> wrote:
>
> Hi all.
>
> This can be two threads but I have the following two questions at the same
> time.
> 1. Can we run KDC as a non-root user? Meaning is it required to run KDC as
> root?

yes root user is not required.

> 2. Is there any official docker images for KDC? or any plan to have one?
>
> Thanks!
> Yegui
> ________________________________________________
> Kerberos mailing list           [hidden email]
> https://mailman.mit.edu/mailman/listinfo/kerberos


________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos

smime.p7s (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Running KDC as non-root and dockerize KDC

Grant Taylor
In reply to this post by Robbie Harwood
On 1/4/19 9:14 AM, Robbie Harwood wrote:
> The KDC and kadmin want several low-number ports, including 88, 749,
> and possibly 754.

It's possible (on Linux) to give utilities access to bind to ports below
1024 as non-root user by adding the cap_net_bind_service capability via
the setcap command.

Aside:  How well would Kerberos work if these services ran on a high
port and IPTables magic was used to redirect requests to the low ports
up to high ports?



--
Grant. . . .
unix || die


________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos

smime.p7s (5K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Running KDC as non-root and dockerize KDC

Russ Allbery-2
Grant Taylor <[hidden email]> writes:

> Aside:  How well would Kerberos work if these services ran on a high
> port and IPTables magic was used to redirect requests to the low ports
> up to high ports?

It should be fine as long as the magic handles both UDP and TCP.

Another option would be to run the services on non-standard ports and
configure the clients.  Modern clients support SRV records, which include
the port and let you configure alternate ports.  Even older clients that
don't support SRV records can be configured in krb5.conf, which supports
specifying a port, although I'm not sure how good the support for that is
for all protocols and older versions.

--
Russ Allbery ([hidden email])              <http://www.eyrie.org/~eagle/>
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Running KDC as non-root and dockerize KDC

Grant Taylor
On 1/5/19 12:24 PM, Russ Allbery wrote:
> It should be fine as long as the magic handles both UDP and TCP.

ACK

It's trivial to add IPTables rules (the magic I was thinking of) to
handle both UDP and TCP.

> Another option would be to run the services on non-standard ports and
> configure the clients.

Ew.  I personally dislike the idea of using a configuration that
requires making changes to clients.  The sheer number of places that
changes would need to be made.  I expect the number of clients is VASTLY
higher than the number of KDCs.  So I would think that it would behoove
people to make the change on the KDC.  Ongoing maintenance of clients
would be no-fun and would require additional training on support staff.

That being said, it is nice to know that (some) Kerberos clients are
capable of connecting to non-standard ports.

> Modern clients support SRV records, which include the port and let you
> configure alternate ports.

I need to look into this.

Do you happen to know off hand if DNS lookups for SRV records happen
before or after initial connection attempts to the standard ports?

If SRV records are looked up /before/ attempting to connect to standard
ports, I could see adding SRV records as a simple optimization.

> Even older clients that don't support SRV records can be configured in
> krb5.conf, which supports specifying a port, although I'm not sure how
> good the support for that is for all protocols and older versions.

Yep.  Yet another reason to stick with standard ports without a
compelling reason to deviate.

Thank you for the feedback Russ.



--
Grant. . . .
unix || die


________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos

smime.p7s (5K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Running KDC as non-root and dockerize KDC

Russ Allbery-2
Grant Taylor <[hidden email]> writes:

> Do you happen to know off hand if DNS lookups for SRV records happen
> before or after initial connection attempts to the standard ports?

> If SRV records are looked up /before/ attempting to connect to standard
> ports, I could see adding SRV records as a simple optimization.

Before, in the sense that you mean, although it's a little more
complicated than that since krb5.conf configuration will override SRV
records (as you might expect).  So SRV records are only used when there's
no client configuration, and in that case the client otherwise isn't going
to know what to connect to, so there wouldn't be a connection attempt to a
standard port.

The idea of SRV record configuration is that all the client needs to know
is the realm, at which point it looks up the SRV records for that realm
and gets all the other server connection information it needs from that.

--
Russ Allbery ([hidden email])              <http://www.eyrie.org/~eagle/>
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Running KDC as non-root and dockerize KDC

Yegui Cai
In reply to this post by Robbie Harwood
Hi Robbie.

I ran into the case where the privileged ports are not allowed to be
bindded. Do you know how I can work around this?

Thanks,
YC

On Fri, Jan 4, 2019 at 11:14 AM Robbie Harwood <[hidden email]> wrote:

> Yegui Cai <[hidden email]> writes:
>
> > Hi all.
> >
> > This can be two threads but I have the following two questions at the
> > same time.
> >
> > 1. Can we run KDC as a non-root user? Meaning is it required to run KDC
> as
> > root?
>
> The KDC and kadmin want several low-number ports, including 88, 749, and
> possibly 754.  They also need permissions set up correctly in order to
> access the datastore.  Modifying these permissions requires some care to
> avoid circumventing any additional protections your system may already
> have (e.g., Selinux).  I'm not aware of other potential issues.
>
> > 2. Is there any official docker images for KDC? or any plan to have
> > one?
>
> The FreeIPA project has container images for the server:
> https://www.freeipa.org/page/Docker (note that this includes more than
> just a KDC, though).
>
> I'm not aware of anyone else distributing images, but there's nothing
> that stops you from setting it up in a container.
>
> Thanks,
> --Robbie
>
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Running KDC as non-root and dockerize KDC

Grant Taylor
On 01/07/2019 10:31 AM, Yegui Cai wrote:
> I ran into the case where the privileged ports are not allowed to be
> bindded. Do you know how I can work around this?

What OS are you running the service on that needs to bind to (or
otherwise listen to) privileged ports?



--
Grant. . . .
unix || die


________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos

smime.p7s (5K) Download Attachment