[OpenAFS] Redux: Linux: systemctl --user vs. AFS

spacefrogg-openafs@spacefrogg.net spacefrogg-openafs@spacefrogg.net
Sat, 14 Aug 2021 21:20:37 +0000 (UTC)

The KEYRING vulnerability was CVE2016-0728. It is obviously fixed nowadays.=
 So, I was not referring to a principle problem.

Having tickets in world-writable locations is a stealing issue. The attacke=
r would try to precreate the well-known ticket cache file with attackers ac=
cess rights. This lead Ubuntu et al. to use harder to guess variable ticket=
 cache files. The problem is the library-based distributed implementation o=
f Kerberos client side. When there is no known trusted controlling process =
to create the ticket cache file in the first place, it is hard to establish=

Our solution was to resort to a trusted service for ticket cache management=
 in the form of sssd and a patched openssh. The user, through the client li=
brary, is not able to create new ticket caches in the well-known location, =
as it is only writable by root.

I would expect openssh to need a likewise patch to work with KEYRING ticket=