Kerberos Ldap Integration

Scott Grizzard scott at scottgrizzard.com
Wed Jun 11 11:43:07 EDT 2008


Yes, local users with su access could obtain a user's tgt, and then use
that ticket to access network services in the user's name. However, the
impostor could only use the tgt until the tickets expire, so there is a
limit to the damage. If you are worried about this in the labs, set the
tgt's for the "lower users" to expire after an hour or two.

Consider just giving them sudo access instead of full root access. Then,
redirect syslog to a system outside the admins' control. This way, all
sudo action is logged. Then, in your orientation, emphasize the fact
that, while they can do rouge stuff, it will be logged if they do. Ha ha ha.

You can also setup sudo to use ldap for sudoers, so the administrative 
headache is not as large.

- Scott

Sebastian Hanigk wrote:
> "Eric Hill" <eric at ijack.net> writes:
>
>   
>> What you are trying to prevent is a root user on system A accessing
>> user data on system B without knowing the users' credentials.  This is
>> precisely what Kerberos prevents.  System B will not accept inbound
>> sessions without a Kerberos ticket, and it is impossible for a root
>> user on system A to gain a TGT for the user without knowing the users'
>> credentials.
>>     
>
> Not true in general. The superuser has often the capability to read the
> user's credential cache (be it a plain file or something memory based)
> and could therefore impersonate the respective user - if already a valid
> ticket has been acquired by the user.
>
>
> Sebastian
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>   





More information about the Kerberos mailing list