Preventing an attacker to steal credential and to compromise a whole kerberized network?
Tom Yu
tlyu at MIT.EDU
Tue Oct 11 13:14:33 EDT 2011
Mike Spinzer <mspinzer at yahoo.com> writes:
> Hello,
>
> I set up the MIT Kerberos in my network (mainly compounded of Ubuntu
> servers), and it's working fine. My concern is now to prevent that if
> an attacker manages to be root on one server, he could after
> compromise other servers. Some of the users need to have root access
> on several servers; By now, they connect to servers through SSH with a
> forwardable ticket, that they can use either to bounce on another
> server or to become root with ksu without entering any password (so
> that they never enter their password on a server that could have been
> compromised). However, the problem is that if an attacker is root on
> one server, he can easily steal other users credentials (stored by now
> in files in /tmp) and connect and become root on other servers.
>
> Does Kerberos include any solution to mitigate this risk?
Kerberos doesn't really defend against local vulnerabilities or the
actions of privileged users (whether legitimate or not). If a
forwarded credential is compromised by a local attack on a host, the
damage will naturally be limited by the expiration time (and renewal
time, if any) of the credential. If this is an unacceptable risk, you
may want to consider stricter policies about forwarding credentials.
Is there some special property about your network that requires users
to bounce through multiple SSH logins?
More information about the Kerberos
mailing list