Running Kerberos as a different user than root

[Russ Allbery]

Tom Yu <tlyu at MIT.EDU> writes:
> Russ Allbery <rra at stanford.edu> writes:

>> Note, of course, that if you generally use Kerberos for authentication
>> for your systems, your operations group is being ridiculous here.  Any
>> Kerberos KDC administrator could just change the password of one of the
>> operations people and then gain root that way.

> True, unless for some reason the ops people don't trust Kerberos for
> authenticating logins to the host that runs the KDC.

Even then, it's a serious uphill battle to protect against an actual
attacker with access to the KDC.  They can silently compromise the account
of one of the people in operations and then Trojan ssh to sniff the root
password, just to pick one example.  Protecting yourself against attackers
with KDC access is, at most sites that use Kerberos, a lost cause.

> It's still a good security practice to avoid running any other services
> on a KDC host though.

Yeah, that plus the use of Kerberos for authentication anyway is why I've
not only never seen any point in running production KDCs as non-root
users, I've never seen any point in having anyone other than the KDCs
administer the system on which the KDCs run.  There's just no realistic
security gain; all these people tend to be able to access each other's
accounts with a modicum of work, so you may as well unify all the
operations so that you can minimize the footprint that way.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>