[OpenAFS] Questions about AFS security

Derek Atkins warlord@MIT.EDU
20 Jan 2002 19:38:05 -0500 

Charles Clancy <security@xauth.net> writes:

> > I know AFS can work within a Kerberos 5 infrastructure, but you have
> > to run krb524d (right?).
> 
> I'm pretty sure you only need krb524d if you're running fakeka (am
> I right, guys?).

Charles: wrong.  You need krb524 if you're runing aklog (because you
need to convert from a v5 to a v4 ticket).  Fakeka is only required
when you want to have 'klog' work, which is really only an issue if
you're converting from a KAServer to a v5 server and users are used to
using klog.  In a new cell there is absolutely no reason to use
fakeka/kaforwarder.

Pat, using krb524 does not open you up to the offline password
guessing attackes because krb524d is just another v5 service.  You
need to supply a valid v5 ticket before it will give you a v4 ticket.

In fact, there is no particular reason that the 524 daemon needs to
run on your KDC!

> > My question is, does being an AFS administrator automatically allow
> > you to run things as root on the AFS server?  (I thought I read about
> > a "bos exec" command or something.)
> 
> Yes, it does -- i.e. if 'bos listusers' lists your username, which is
> different from 'pts mem system:administrators' listing your username.

You need to be in the SUsers list for some functions, but not all of
them.  Regardless of whether bos is in restricted mode, your admins do
NOT need root access to your servers.  Similarly, if you turn on bos
restricted mode (see below) then your admins wont be able to execute
commands as root.

So, no, your sys admins do not need root access to your servers... But
they should still probably be in SUsers as well as
system:administrators.

> > If so, is there any way I can disable this?  If not, does anyone have
> > ideas for how I can get a tamper-proof log of the actions of our AFS
> > admins?
> 
> ./configure --enable-bos-restricted-mode
> should do it for you.

The RPMs are not compiled with this, but you could easily rebuild the
RPMs and add this option to the configuration.

-derek
-- 
       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
       warlord@MIT.EDU                        PGP key available