[cabf_netsec] Accounts, Access and Credentials
Ben Wilson
bwilson at mozilla.com
Mon Apr 27 07:52:07 MST 2020
Do we have a recording of this discussion? There was a lot of stuff that
we covered, and I'm wondering if listening to it again could help clarify
where we need to go with the draft system account ballot?
On Thu, Apr 16, 2020 at 11:08 AM Neil Dunbar via Netsec <netsec at cabforum.org>
wrote:
> All,
>
> So here's my (current) thinking on the ballot regarding system
> accounts/user accounts.
>
> It seems that many operations have a centralised list of accounts which
> represents the maximum _potential_ set of different access identifiers to
> any given system (example: an enterprise wide LDAP service, and each system
> is configured to use sssd as its system account database provider). What
> this means is that I, as a system administrator, could execute:
>
> getent passwd
>
> and get a long list of alice, bob, charlie, dave ... Of whom only bob is
> actually supposed to be using the system. Now, most of those users will be
> assigned to groups, or roles, or some sort of privilege assignment. It's
> that association of account -> privilege which defines the ability to use
> the system, not the existence of an account name per se.
>
> So, when I hear the terms "account" and "credential", I tend to think of
> usernames and passwords, which are not *necessarily *the things that I
> might want to see controlled. It's the association of privileges that I
> want to see demonstrably controlled.
>
> So, when we talk about "deactivating" the account, it seems to me that
> what we want is for the privilege association between the account name and
> the host to be broken; we remove the username from the group "
> sensitive_host_users", or we take them out of "two_factor" roles (meaning
> that their credentials might still work, but are insufficient to access the
> sensitive host, etc.).
>
> But I wonder if this is what others on the group are thinking?
>
> Looking forward to talking this through,
>
> Neil
> _______________________________________________
> Netsec mailing list
> Netsec at cabforum.org
> http://cabforum.org/mailman/listinfo/netsec
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/netsec/attachments/20200427/10da4fa6/attachment.html>
More information about the Netsec
mailing list