Kerberos Security Question
Ken Hornstein
kenh at cmf.nrl.navy.mil
Wed Feb 27 00:13:24 EST 2002
>Here's a question. Lets say that we have a UNIX
>computer that is in a Kerberos realm, and an untrusted
>user has "root" access. If some other user happens to
>log in to that computer, then the root user can
>symbolically link their ticket cache file to that of
>any user that has logged in. Thus, when root does a
>'klist', it shows the credentials of that other user.
>This seems like a huge bug (though it's due to how
>UNIX was architected), because then root has
>realm-wide access as this user without requiring a
>password!
The basic problem here is that yes, root having access to a system
gives them the same rights as any other user who's used Kerberos on
that system (within the ticket lifetime window). But if you think about
it, you'll find that the same is true of ANY other network security
system; if an endpoint is compromised, you can subvert ANYTHING on
that box (like ssh, ssl, etc etc). It's one of those things that's
outside of the scope of Kerberos (and when you get down to it, any other
network authentication system); that's a cop-out, yes, but it's the
same cop-out everyone else uses, so I don't personally see it as a
particular failing of Kerberos. At least Kerberos tickets will expire
(but you could install a trojan copy of kinit, so I'm not sure there's
that much gain).
--Ken
More information about the Kerberos
mailing list