Preventing an attacker to steal credential and to compromise a whole kerberized network?

Simo Sorce simo at redhat.com
Tue Oct 11 17:06:56 EDT 2011


On Tue, 2011-10-11 at 12:54 -0500, Nico Williams wrote:
> If the attacker as full local access then the kernel keyrings must be
> assumed to be readable by the attacker.  Even if they have much less
> than full local access.  For example, if the attacker has access as
> the victim user.  (Which is why there's no point storing large,
> unbounded objects, such as Kerberos ccaches, in a keyring.  Smaller,
> *bounded* credentials are useful to store in keyrings but only doing
> so simplifies management, as there's no files to destroy on logout,
> for example.)  Even if the attacker's level of access denies them
> direct read access to the credentials, if the attacker can use the
> credentials it's bad enough. 

keyrings can be bound to sessions, so an attacker may be prevented
access to them easily if they have not total control of the system.

That said I just remembered that by default keyring quotas are quite
small compared to the size a credential cache can reach, so it may not
be really a solution if you need to store many tickets (or if your
tickets are very big).

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York




More information about the Kerberos mailing list