ticket steal possibility
Jeffrey Hutzelman
jhutz at cmu.edu
Mon Mar 26 17:58:59 EDT 2007
On Wednesday, March 21, 2007 01:25:26 PM +0200 Nikolai Tenev
<ntenev at orbitel.bg> wrote:
> On server one (server1) in krb5.conf I have a record:
>
> auth_to_local = {
> RULE:[2:$2](support)s/^.*$/root/
> }
>
> On server two (server2) in krb5.conf I have a record:
>
> auth_to_local = {
> RULE:[2:$2](support)s/^.*$/root/
> RULE:[2:$2](developer)s/^.*$/root/
> }
Doing authorization this way is dangerous, because it effectively grants
privileges based on the mere existance of a principal, and assumes that no
principal will ever be created that should not have these privileges. A
better approach is to distribute lists of authorized developers and support
staff which can be used in constructing a .k5login file for root.
> When client1 is logged in from his workstation1 as root on server2, the
> ticket of client1 is forwarded
If you don't trust the machine you're connecting to, including all the
people who have privileged access to it, then don't do that. Whenever you
type a password on a machine, or forward credentials, agent connections, or
X11 connections, you are granting that machine, and whoever controls it,
the power to act as you. Giving your credentials to an untrusted machine
is inherently unsafe; there are no tricks to get around that fact.
Most ssh clients can be configured to forward credentials, agent
connections, and X11 connections only to specific hosts. Your support
staff should forward these only to trusted machines; that is, only to
machines where only trusted staff have privileged access. They should also
only ever type passwords at such machines, and never at an untrusted
machine where some other person has root access.
In our facility we go a step further; privileged users are not allowed to
type passwords on or forward credentials to any machine where an untrusted
person has any access, privileged or not.
-- Jeffrey T. Hutzelman (N3NHS) <jhutz+ at cmu.edu>
Sr. Research Systems Programmer
School of Computer Science - Research Computing Facility
Carnegie Mellon University - Pittsburgh, PA
More information about the Kerberos
mailing list