Restricting access to kadmind

[Marcus Watts]

Dave Shrimpton <shrimpto at its.uq.edu.au> writes:
> Is there a way of restricting access to MIT K5 kadmind
> from kadmin so that principals who are not listed in
> kadm5.acl are unable to do a getprinc on themselves or
> better still are unable to obtain a kadmin/admin ticket
> at all, even  if they have successfully authenticated ?

There's no way that kadm5.acl could stop people from getting admin
service tickets.  kdc hands out tickets, and it doesn't make
authorization decisions of the sort you want (and many would argue that
this lack of smarts is a "good" thing.)

Since kadmind contains the acl logic, it should certainly be
theoretically possible to stop "getprinc".  Whether this is really what
you want is another question.  If you're worried about the possibility
of bad code paths existing, then this only gives you partial relief; if
the attacker can send "bad" packets, there's a 50% chance that there's
an exploit that can happen before the server checks credentials,
because a lot of the more interesting and ugly low-down processing of
user data happens before the credentials check -- and if you're talking
acls, there's even more stuff that happens after the credentials check
and before the RPC server side procedure proper where the acl logic is
invoked.

What you might want to do instead is to use firewalls, filtering
routers, or kernel firewall rules to discard packets *before* they get
to kadmind.  You'll only be able to filter based on IP address, but
depending on your setup this may be acceptable.  To be truely
effective, you'd also need routers elsewhere that prevent people from
forging your trusted IP addresses.

				-Marcus Watts
				UM ITCS Umich Systems Group