Preventing an attacker to steal credential and to compromise a whole kerberized network?
Greg Hudson
ghudson at MIT.EDU
Tue Oct 11 13:10:49 EDT 2011
On 10/11/2011 11:55 AM, Mike Spinzer wrote:
> I set up the MIT Kerberos in my network (mainly compounded of Ubuntu servers), and it's working fine. My concern is now to prevent that if an attacker manages to be root on one server, he could after compromise other servers. Some of the users need to have root access on several servers; By now, they connect to servers through SSH with a forwardable ticket, that they can use either to bounce on another server or to become root with ksu without entering any password (so that they never enter their password on a server that could have been compromised).
> However, the problem is that if an attacker is root on one server, he can easily steal other users credentials (stored by now in files in /tmp) and connect and become root on other servers.
It doesn't really matter how credentials are stored. All data passing
through a compromised server is subject to theft. Allowing users to
"bounce" from server to server is fundamentally at odds with containing
the effect of a server compromise.
I believe the only ways to mitigate this risk are:
1. Stop forwarding TGTs around. Allow direct root login by users
authorized to do so (ideally using separate username/root principals).
2. Reduce the maximum ticket lifetime.
More information about the Kerberos
mailing list