ticket steal possibility
Nikolai Tenev
ntenev at orbitel.bg
Wed Mar 21 07:25:26 EDT 2007
Hi everyone,
I need some help or information source, to resolve one big (for me) problem
with MIT Kerberos.
Software:
CentOS 4.4
Kerberos 1.3.4
OpenSSH 3.9p1
The Network Description:
Used realm is @EXAMPLE.NET
Two servers from same realm and two clients from same realm but different
instances.
Server one has a host ticket host/server1.example.net at EXAMPLE.NET
Server two has a host ticket host/server2.example.net at EXAMPLE.NET
Client one has a client ticket client1/support at EXAMPLE.NET
Client two has a client ticket client2/developer at EXAMPLE.NET
On server one (server1) in krb5.conf I have a record:
auth_to_local = {
RULE:[2:$2](support)s/^.*$/root/
}
On server two (server2) in krb5.conf I have a record:
auth_to_local = {
RULE:[2:$2](support)s/^.*$/root/
RULE:[2:$2](developer)s/^.*$/root/
}
Both clients use ssh to conect to remote servers from their workstations.
According this client2 with realm client2/developer at EXAMPLE.NET can do login
as root on server2 but can not to do login on server1. Other user client1
with realm client1/support at EXAMPLE.NET can do login as root on both servers.
At this time everything is OK, and work as I expect.
The problem:
When client1 is logged in from his workstation1 as root on server2, the ticket
of client1 is forwarded and stored in file /tmp/krb5cc_0_r10108 owned by root
(root:root) and chmoded 600. But if in same time client2 make connection from
his workstation2 to server2 as root, he can read/copy ticket file
(/tmp/krb5cc_0_r10108 ) of client1 locally on his workstation2 and after that
is easy to represent self as client1 to server1 and grant root access before
ticket of client1 expire.
I search in Google for information how to resolve this problem and find three
common type of solutions.
1) To lock clients ticket by IP. Disadvantage is that some of users use their
laptops remotely from different networks, and they need addressless tickets.
2) To not forward tickets from client to server. This solution works, but for
now most of users use ssh-agent to forward their private keys from one
session to another (in example client1 make ssh to server1 and the from
server1 copy data to server2 via scp with his own ssh key). It's not good to
drop this possibility for them on condition that they find it as usable. But
supporting hundred ssh public keys on great number of servers is little hell
that I hope to resolve with kerberos.
3) One "alternative" solution is to make ticket available for a short-short
time (something about 2-3 seconds). But this not sound good enough to me.
Even if our corporate network speed allow this solution, we can not be sure
for others network. And even if the speed and times are perfect, if someone
know about this system weakness, he can find way to catch the ticket and make
ssh connection to another remote server with ticket that is steal. When ssh
connection is established, even if ticket expire, connection not drop.
Does anyone have some idea how to resolve this, or just link to useful
documentation ?
Thanks in advance !
--
Nikolai Tenev
Hosting Systems Support Engineer
Orbitel EAD - office Sofia
---------------------------------
Orbitel - Next Generation Telecom
More information about the Kerberos
mailing list