Kerberos Ldap Integration
Sebastian Hanigk
hanigk at in.tum.de
Tue Jun 10 12:37:52 EDT 2008
"Eric Hill" <eric at ijack.net> writes:
> What you are trying to prevent is a root user on system A accessing
> user data on system B without knowing the users' credentials. This is
> precisely what Kerberos prevents. System B will not accept inbound
> sessions without a Kerberos ticket, and it is impossible for a root
> user on system A to gain a TGT for the user without knowing the users'
> credentials.
Not true in general. The superuser has often the capability to read the
user's credential cache (be it a plain file or something memory based)
and could therefore impersonate the respective user - if already a valid
ticket has been acquired by the user.
Sebastian
More information about the Kerberos
mailing list