MIT Krb5 + SELinux

Sam Hartman hartmans at MIT.EDU
Thu Apr 15 09:42:36 EDT 2004


>>>>> "Jerome" == Jerome Walter <walter+kerberos at efrei.fr> writes:
    Jerome> Difficult is not enough ;) Yes, for now, i created 3
    Jerome> different contexts, for kdc, kadmind and kerberos
    Jerome> applications. The restriction is fairly strict and a
    Jerome> compromised kdc should not mean possibility to get a root
    Jerome> priviledge, nor change any passowrds in the realm.

But difficult is all you get.  If I can execute arbitrary code in the
kdc context, I can read keys from the database and transmit them over
thenetwork.  I then break in with a kadmin request.


The KDC is fundamentally part of the TCB.  You can make exploiting it
harder, but a bug in the KDC that leads to arbitrary code execution
does compromise the authentication infrastructure.



More information about the Kerberos mailing list