nfsv4 sec=krb5p and user impersonation

Nordgren, Bryce L -FS bnordgren at fs.fed.us
Tue Sep 9 19:44:40 EDT 2014 


> What I call "authentication 2" is the actual user- and file-level permissions, i.e.
> who can see what file.  The share is mounted regardless.  But at this point,
> under what circumstances is root allowed to see various users' files?  How is
> it that root can "authenticate" as user XYZ without knowing XYZ's password,
> under the case I outlined in the original email?

Consider this scenario (which I just verified):

1] I sftp'ed to my fileserver (CentOS 7 + sssd + kerberos5 to active directory). This involved an AS exchange and the creation of a ticket cache.

2] I ssh'ed to my fileserver as root.

3] As root on fileserver: export KRB5CCNAME=KEYRING:persistent:10001  (my uid number)

4] klist now shows my credentials.

5] ldapsearch -Y GSSAPI -H ... works as me.

6] klist shows an additional cross-realm TGT and an ldap service ticket in my cache.

Note that root never had to know my password. So to summarize, All I have to do is look at who is actively using my fileserver, "getent passwd <them>", and set my KRB5CCNAME to their uid. Then I can ssh to whatever other machine I'd like, as them. Or visit kerberized websites, or mount kerberized NFS shares, etc.

This will work for any situation where a user causes a ticket cache to be present on a machine you control, whether they type the password into your machine or they just forward their credentials to you. Note this would not work for an NFS server, as the user would typically only transfer a service ticket for nfs/myserver.example.com.

Kerberos is one step better than host-based authentication, but only one. Essentially, I can't impersonate just anyone, but I can impersonate anyone foolish enough to transfer credentials to my machine. :)

This "feature" implies that some sort of host based access control is necessary. Machines should be reachable from where you are only if: a] the target machine has the same administrator; b] the target machine's administrator trusts your administrator; or c] your machine is an end-user workstation (console) that only one person at a time should be logging into. This partitions a domain into little trust bubbles, anchored in end-user workstations.

Bryce




This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized interception of this message or the use or disclosure of the information it contains may violate the law and subject the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the sender and delete the email immediately.

More information about the Kerberos mailing list