[OpenAFS] Kerberos 5 cache in /tmp

[Frederic Gilbert]

Hi,

We use OpenAFS 1.2.10 on 3 DB and 4 FS servers, and are slowly migrating
to Kerberos5 for authentication.

We realized recently that, Kerberos5 credentials being stored in files
in /tmp, anyone allowed to be root on a client was able to impersonate a
connected AFS user by simply doing su, setenv KRB5CCNAME and aklog.

We are very concerned about the security implications of this possibility.
Looking through mailing lists archives, I could not find a lot of people
bothered with this, and common answers were:
- if you give the root password to some people, you're supposed to trust
them (I don't agree, because root access to an AFS client is a limited
priviledge and can be given with a lower level of confidence than e.g.
AFS admin);
- under AFS, root can steal tokens too (yes, but by having to find them
in the kernel memory, which is a quite more complex job).

Do people here who migrated to Kerberos5 have any workaround or opinion
about this issue, or are they living happily with it?

Frederic Gilbert.