KfM 4.0b7: a few questions

Alexandra Ellwood lxs at MIT.EDU
Thu Jan 31 12:05:01 EST 2002

I'm unclear why is it such a problem to train users to only type 
their password into the Kerberos Login Server dialog.  We present a 
distinctive and consistent user interface, Dock icon and launch path. 
Our KerberosLoginServer.app (separate from the Kerberos.app) resides 
in a location owned by root/wheel so admin users can't modify it 
without typing in their admin passwords.  Any security conscious user 
can verify via their favorite process monitor that only a user with 
root access could have tampered with their Kerberos dialog.

Non-security conscious users aren't going to verify anything, no 
matter how hard you try to make them.  In fact if you make life too 
difficult for these users, they'll find a way to circumvent the 
security entirely.  Mac users are intolerant of inconvenient 
applications -- much more so than Unix users -- especially since 
Kerberos has been historically more convenient on the Mac.

Training users to run "kinit" when they get a "no credentials" error 
is very similar to training them to type into a specific-looking 
dialog which appears when credentials are not present.  Yes, a 
malicious application can launch a helper application that presents a 
similar looking dialog.  That same app could also add a line to the 
user's .cshrc which makes "kinit" an alias to a malicious kinit.  Or 
it could change the Kerberos application icon in the Dock to point to 
a malicious Kerberos application.  If the user is an admin user, the 
situation is even worse, because /Applications is writable by the 
admin group, and the malicious application could modify the Kerberos 
application itself.

In order to notice this kind of tampering, users need to run "alias 
kinit", avoid the Dock, or check the mod dates on the Kerberos 
application before typing in their password.  Any user willing to do 
that would also be willing to run "/bin/ps" to verify that the real 
Kerberos Login Server is prompting for a password.

If you're going to spend lots of resources training users, you should 
train them to only download and run trusted software.  At the very 
least, instruct users to create a separate non-admin, non-Kerberos 
account for recreational software.  Once malicious software is 
running as the user, you've already lost.  Even if the malicious 
program doesn't bother attacking the automatic Kerberos dialog, it 
still has access to the ticket file/cache, the dock icons, etc.

>But it wouldn't surprise me if a
>site had a policy prohibiting the auto-password dialog from being used,
>and it would be shame if you couldn't use the shipped Mac Kerberos
>at such a site (not that any site that I'm aware of has such a policy

If a site has such a policy, they won't be able to use Mac OS X at 
all.  Mac OS X automatically prompts for passwords all over the 
place, especially for the admin password to get root access.  In the 
not too distant future, this admin password could also be the user's 
Kerberos password.

In addition, any site handling very sensitive information on Mac OS X 
or Windows boxes should have a disconnected network or no network at 
all.  Automatic prompting for passwords is the least of their 

However, Alexei's automatic AFS token acquisition program exposes a 
technical problem in the *way* we automatically pop up dialogs.  We 
will investigate ways to fix it in a future release.  It probably 
won't make it into 4.0 though.

Fortunately with the Kerberos.loginAuthenticator, users can get 
tickets on login (via the loginwindow).  When the login authenticator 
is enabled, the automatic dialog should only pop up if users 
intentionally destroy their tickets, or if the tickets expire.

My two cents,

Alexandra Ellwood                                               <lxs at mit.edu>
MIT Information Systems                               http://mit.edu/lxs/www/

More information about the krbdev mailing list