Restricting access to kadmind
Dave Shrimpton
shrimpto at its.uq.edu.au
Mon Aug 19 22:12:34 EDT 2002
Is there a way of restricting access to MIT K5 kadmind
from kadmin so that principals who are not listed in
kadm5.acl are unable to do a getprinc on themselves or
better still are unable to obtain a kadmin/admin ticket
at all, even if they have successfully authenticated ?
Currently any principal that successfully authenticates
can do a 'getprinc' on themselves. This is
not stopped by an entry such as
* ADMCIL *
nor by an entry with the principal explicitely listed eg
bloggsj at REALM ADMCIL bloggsj at REALM
This might reduce the risk of exploitation of bugs in
kadmind such as the recent "Integer Overflow in XDM library"
(CERT CA-2002-25 , MITKRB5-SA-2002-001)
--
David Shrimpton Systems Programmer
Software Infrastructure, Information Technology Services
University of Qld 4072 shrimpto at its.uq.edu.au
Brisbane Australia
More information about the Kerberos
mailing list