[krbdev.mit.edu #5821] REQ: in-registry keytab support
"Christopher D. Clausen" via RT
rt at krbdev.mit.edu
Thu Oct 18 17:16:12 EDT 2007
Sam Hartman via RT <rt at krbdev.mit.edu> wrote:
> Hi. I'm concerned about a mechanism that makes it this easy to reuse
> keys. Your example of a cluster of web servers using HTTP/clustername
> is OK; that's a case where you need to reuse keys.
>
> However, many of the other examples are cases where reusing keys would
> significantly harm security. The AFS case is particularly alarming.
> Pushing out the same key for anonymous cell access would decrease
> security by allowing anyone with this key to impersonate the cell.
Impersonating an anonymous user is actually what one would want in some
environments. (Say non-AD joined machines. Copying a registry file and
importing it may be simpler than setting up a file path, etc. A single
registry key can contain all the needed configuration info.) The fact
that you are actually authenicating but still an anonymous user allows
for OpenAFS to enable encryption to the cell. The is a FEATURE in this
case. (Well, it will hopefully soon be an OpenAFS feature.)
I mean I can currenty set a keytab file up on a world readable network
share. Taking a file and putting it in the registry doesn't fix the
ability of someone to do something stupid.
> I'm also concerned about whether group policy has the appropriate
> confidentiality protection for this use.
> How is group policy pushed to a machine?
Group policy is generally implemented as a set of files in SYSVOL share
on the domain controller. I'm not sure if a higher level of protection
is granted to these files over normal CIFS traffic to the DC. I suspect
not. Again though, the ease of configuration may outweigh the security
risk in certain environments.
Also note that this would not be used for per-machine host keys, which
would be generated when the machine is joined to the domain. (A needed
step before Group Policy can be applied to the computer.)
> Is it encrypted in transit?
I do not know if GPO traffic is encrypted. You can of course force
encryption to the DC on using IPsec or with the security levels on the
CIFS traffic.
> Can a machine find out the group policy of someone else?
Yes, it can by default. It would be up to GPO creator to properly ACL
the Group Policy Object itself to restrict access to the proper computer
accounts or users.
<<CDC
More information about the kfwdev
mailing list