ticket steal possibility
Edgecombe, Jason
jwedgeco at uncc.edu
Tue Mar 27 08:15:15 EDT 2007
I assume that all priviledged users have non-priviledged accounts as
well. Is that correct?
Jason Edgecombe
Solaris & Linux Administrator
Mosaic Computing Group, College of Engineering
UNC-Charlotte
Phone: (704) 687-3514
-----Original Message-----
From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On
Behalf Of Jeffrey Hutzelman
Sent: Monday, March 26, 2007 5:59 PM
To: Nikolai Tenev; kerberos at mit.edu
Cc: Jeffrey Hutzelman
Subject: Re: ticket steal possibility
On Wednesday, March 21, 2007 01:25:26 PM +0200 Nikolai Tenev
<ntenev at orbitel.bg> wrote:
> On server one (server1) in krb5.conf I have a record:
>
> auth_to_local = {
> RULE:[2:$2](support)s/^.*$/root/
> }
>
> On server two (server2) in krb5.conf I have a record:
>
> auth_to_local = {
> RULE:[2:$2](support)s/^.*$/root/
> RULE:[2:$2](developer)s/^.*$/root/
> }
Doing authorization this way is dangerous, because it effectively grants
privileges based on the mere existance of a principal, and assumes that
no
principal will ever be created that should not have these privileges. A
better approach is to distribute lists of authorized developers and
support
staff which can be used in constructing a .k5login file for root.
> When client1 is logged in from his workstation1 as root on server2,
the
> ticket of client1 is forwarded
If you don't trust the machine you're connecting to, including all the
people who have privileged access to it, then don't do that. Whenever
you
type a password on a machine, or forward credentials, agent connections,
or
X11 connections, you are granting that machine, and whoever controls it,
the power to act as you. Giving your credentials to an untrusted
machine
is inherently unsafe; there are no tricks to get around that fact.
Most ssh clients can be configured to forward credentials, agent
connections, and X11 connections only to specific hosts. Your support
staff should forward these only to trusted machines; that is, only to
machines where only trusted staff have privileged access. They should
also
only ever type passwords at such machines, and never at an untrusted
machine where some other person has root access.
In our facility we go a step further; privileged users are not allowed
to
type passwords on or forward credentials to any machine where an
untrusted
person has any access, privileged or not.
-- Jeffrey T. Hutzelman (N3NHS) <jhutz+ at cmu.edu>
Sr. Research Systems Programmer
School of Computer Science - Research Computing Facility
Carnegie Mellon University - Pittsburgh, PA
________________________________________________
Kerberos mailing list Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
More information about the Kerberos
mailing list