MIT Krb5 + SELinux

Jerome Walter walter+kerberos at efrei.fr
Tue Apr 13 20:49:32 EDT 2004


On Tue, Apr 13, 2004 at 03:01:44PM -0400, Jeffrey Hutzelman wrote:
> 
> 
> On Tuesday, April 13, 2004 03:00:40 +0200 Jerome Walter 
> <walter+kerberos at efrei.fr> wrote:
> 
> >By the way, a common constant on the programs is that most want access
> >do urandom devices, but do not require it really. I guess, that to
> >create tickets, kdc do need access to the device, otherwise the work
> >could be altered.
> 
> The session keys used to protect communications between clients and servers 
> in Kerberos-authentication applications are generated by the KDC.  In fact, 
> the acronym KDC stands for "Key Distribution Center", and these session 
> keys are the keys being distributed.  The KDC generates a new session key 
> every time it issues a ticket, and in order to generate good keys, it must 
> have access to a decent source of entropy.
[snip]

I know the application need access to random data. In fact, my 2 main
purpose where 
1. Does the apps need access to any other device than urandom and 
tcp/udp/socket files ?
2. What restriction could i safely make on the different parts of the
kerberos process without breaking it or possibly open a breach in
granularity offered by SELinux.

For now, i opened the urandom, so the point is not to know if i should
do it, but to know if there is any other randomness(or other) source
that could not appear at first, and make the cryptography of kerberos
being weaker...

I have another point determining which files in /etc/krb5kdc (for debian
and gentoo at least) for the different parts of server need.
I think kdc do not need writing on keytab files, isn't it ?
kadmin should need writing to these files, but we can fairly safely
remove any writing access to any configuration files for both, is that
true ?
Do clients need writing access to any file ? I think tickets are stored
into the memory (and i hope so), so except for the access to files
needed by the application they replace, plus access to krb5.conf, it
could be fairly safe. 

I look forward some details, but i am in the way of finishing debugging
the most visible denials and errors...

Best regards,


Jerome
-- 
-+--   Jerome Walter - 	EFREI p2004		          ----+-
       Mail *is* private


More information about the Kerberos mailing list