Root Authentication

Jim Barlow jbarlow at ncsa.uiuc.edu
Thu Mar 11 11:01:53 EST 2004


Since I haven't seen any replies to this I thought I'd give my 2
cents worth.  I my opinion a root principal is a REALLY bad idea.
It basically will give that principal root access and privileges to any
machine in your organization that allows remote kerberos authentication.
This can also go for machines that you may not normally have acccess to
(ie. no local user account).  Also, if that principal was ever compromised
(it had better require preauth) then you'd most likley be in deep kimchi.
There may be ways around this like preventing direct root logins, etc.,
but I still think it is a dangerous principal to have in your database.
Are there any organizations that actually utilize this (or would admit 
to it :)?


On Thu, Mar 04, 2004 at 12:15:47PM -0500, James Walthall wrote:
> How does root authentication work with kerberos?
> 
> To my understanding, it appears as if the root user can authenticate both 
> locally and on the kerberos KDC.
> 
> I have successfully been able to login onto a kerberized redhat linux 8 
> machine using both the root password
> established locally as well as the kerberos principle password without 
> making any configuration changes between
> logins.
> 
> I assume this is working as designed. Any idea how to disable the local 
> logon for root while still allowing the
> kerberized logon (or is this just a bad idea altogether?)
> 
> Thanks in advance!
> 
> ---------------
> James Walthall Jr
> IBM Host Integration Server Test / HATS
> Outside: (919) 254-8869
> Tieline: 444-8869
> Research Triangle Park
> Raleigh, North Carolina
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos

-- 
James J. Barlow   <jbarlow at ncsa.uiuc.edu>
Senior Security Engineer
National Center for Supercomputing Applications    Voice : (217)244-6403
605 East Springfield Avenue   Champaign, IL 61820   Cell : (217)840-0601
http://www.ncsa.uiuc.edu/~jbarlow                    Fax : (217)244-1987


More information about the Kerberos mailing list