Running Kerberos as a different user than root
Tom Yu
tlyu at MIT.EDU
Wed Mar 2 16:58:42 EST 2011
Russ Allbery <rra at stanford.edu> writes:
> Dave <steiner.dave at gmail.com> writes:
>
>> We've been running Kerberos for a number of years. We've always run all
>> the processes (including kprop, kadmin, etc) as root. A new group has
>> taken over running these machines and don't want to give the Kerberos
>> support people root access. I've looked around but I can't find out if
>> Kerberos can run as a non-root user.
>
> No reason that I can see provided that you find a way for the KDC to bind
> to port 88 before dropping privileges. But I don't think the code has any
> built-in way of doing that other than starting the KDC as root.
You can also run krb5kdc on an unprivileged port without running as
root, but that could require DNS SRV records or explicit configuration
on the clients.
> Note, of course, that if you generally use Kerberos for authentication for
> your systems, your operations group is being ridiculous here. Any
> Kerberos KDC administrator could just change the password of one of the
> operations people and then gain root that way.
True, unless for some reason the ops people don't trust Kerberos for
authenticating logins to the host that runs the KDC. It's still a
good security practice to avoid running any other services on a KDC
host though.
More information about the Kerberos
mailing list