Is a keytab file encrypted?

[Russ Allbery]

Russ Allbery <eagle at eyrie.org> writes:
> Charles Hedrick <hedrick at rutgers.edu> writes:

>> * A kerberized service where the user registers that they want to be
>> able to do cron jobs on a given machine.
>> * A kerberized pam module that calls the same service and gets back
>> credentials, locked to the IP address, and at least by default not
>> forwardable.

> How does this address the problem raised on this thread?  It's still the
> case that if you become root on the host, you can just steal the keytab
> used by that daemon and use it anywhere.  This gives you enhanced
> protection if you trust the boundary between non-root users and root,
> but not if you don't trust the machine.

Oh, wait, I see -- it does transform part of the attack to occasional
on-line, since while you can steal the system keytab and request tickets
whenever you want, you can't get the long-lived keytab for the actual
target credential.  (And presumably you can put monitoring and alerting
around the host keytab being used from unexpected places.)

Yeah, that's a partial security improvement.

-- 
Russ Allbery (eagle at eyrie.org)              <http://www.eyrie.org/~eagle/>