[OpenAFS] Asecurtiy hole or a mistake of configuration

Martin Schulz schulz@iwrmm.math.uni-karlsruhe.de
07 Feb 2002 08:41:18 +0100

Charles Clancy <security@xauth.net> writes:

> > When without configure PAM,
> > <1>USER1 use klog to login AFS, (tty1)
> > <2>switch to another terminal(tty2), login as root , and su USER1, and
> > this terminal got a tokens as tty1 without any password
> Use 'klog -setpag'.  See Russ's explanation.  In a krb5 environment, use
> 'aklog -setpag'.

Remember root can do (nearly) anything on the local machine. It may
also log all keyboard input, manipulate the klog program to dump
passwords somewhere, could (at least I suppose) even spy into the
cache manager for any tokens of local users. 

In any case, you have to trust your local root, as well as your afs
admins and the roots on the afs servers (as well as the backup stuff
etc.) The one you *need not* trust is the root of afs clients (even in
the same cell) which you do not use (i.e. gave your password).

At least krb5 deposits the TGT in a file in the local filesystem,
readable only for the specific user (and local root of course). Any
process with that specific user id (or id 0) can read this
file. All that is necessary for the access of afs files it to set the
$KRB5CCNAME environment variable to that local TGT file (here it is
something like KRB5CCNAME=FILE:/tmp/tkt500_OtRDjs) call aklog. Up you go....

> > with PAM configure, it would not be that.

PAM does not save you to trust your own user id or your local root. 

All of the above is AFAIK, please correct me if I'am wrong.

Martin Schulz                             schulz@iwrmm.math.uni-karlsruhe.de
Uni Karlsruhe, Institut f. wissenschaftliches Rechnen u. math. Modellbildung
Engesser Str. 6, 76128 Karlsruhe