Preventing an attacker to steal credential and to compromise a whole kerberized network?

Mike Spinzer mspinzer at yahoo.com
Tue Oct 11 14:07:16 EDT 2011 

Hello,

Thanks a lot for all your answers. Trying to limit the attack on the server itself seems to me difficult since by definition we consider that the server is owned by the attacker.
I was wondering if it would not be possible to instead put some restrictions on the ticket itself. For instance by including the IP address where it's valid.
Basically the idea would be the following:
- A user on a computer C get a ticket valid only a server S1 (IP1)
- He uses ssh to login into S1, the ticket is copied there
- He then cans use the ticket to either become root (with ksu) or connect to another server S2 without entering any password

If an attacker compromises the server S1, he will be able to steal this ticket and to login into S2, but not to become root on this server.
However this has some limitation since if the user has too another session opened on S2, the attacker will be able to log there and steal this other ticket to become root on S2.


Is there any way to generate on C a ticket valid only on S1 and to forward (copy) it automatically through SSH?

More generally, is there any way to include some roles into a ticket, for instance to indicate that it can be used to authenticate locally with ksu but not to open a remote SSH to another server?

Thank you,

Mike



----- Original Message -----
From: Simo Sorce <simo at redhat.com>
To: Mike Spinzer <mspinzer at yahoo.com>
Cc: "kerberos at mit.edu" <kerberos at mit.edu>
Sent: Tuesday, October 11, 2011 10:35 AM
Subject: Re: Preventing an attacker to steal credential and to compromise a whole kerberized network?

On Tue, 2011-10-11 at 08:55 -0700, Mike Spinzer wrote:
> Hello,
> 
> I set up the MIT Kerberos in my network (mainly compounded of Ubuntu
> servers), and it's working fine. My concern is now to prevent that if
> an attacker manages to be root on one server, he could after
> compromise other servers. Some of the users need to have root access
> on several servers; By now, they connect to servers through SSH with a
> forwardable ticket, that they can use either to bounce on another
> server or to become root with ksu without entering any password (so
> that they never enter their password on a server that could have been
> compromised).
> However, the problem is that if an attacker is root on one server, he
> can easily steal other users credentials (stored by now in files
> in /tmp) and connect and become root on other servers.
> 
> Does Kerberos include any solution to mitigate this risk?

I don't know if Ubuntu includes support, but you can try using the
kernel keyring to store credentials. That should make it more difficult
for an attacker to get access to keys, although not impossible I guess.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

More information about the Kerberos mailing list