[OpenAFS] Kerberos 5 cache in /tmp

[Christopher Allen Wing]

root on a unix workstation is total access; someone with root access
could, for instance, replace the login program or sshd binary with a
version that steals your password every time you log in.

Basically, you should not type your password into a computer where someone
you do not trust has root access.


If you are the administrator of all the machines in question, a better
solution might be to try and eliminate the need to give out root access
where possible. For instance, if the only reason why someone requires root
is to perform a few tasks you could have them use sudo instead.


It's not difficult to steal tokens; all you need to know is the PAG number
of the user's process (which you can get via 'ps'). See:

	http://www-personal.engin.umich.edu/~wingc/code/stealpag.c


-Chris Wing
wingc@engin.umich.edu


On Wed, 7 Apr 2004, Frederic Gilbert wrote:

> Hi,
>
> We use OpenAFS 1.2.10 on 3 DB and 4 FS servers, and are slowly migrating
> to Kerberos5 for authentication.
>
> We realized recently that, Kerberos5 credentials being stored in files
> in /tmp, anyone allowed to be root on a client was able to impersonate a
> connected AFS user by simply doing su, setenv KRB5CCNAME and aklog.
>
> We are very concerned about the security implications of this possibility.
> Looking through mailing lists archives, I could not find a lot of people
> bothered with this, and common answers were:
> - if you give the root password to some people, you're supposed to trust
> them (I don't agree, because root access to an AFS client is a limited
> priviledge and can be given with a lower level of confidence than e.g.
> AFS admin);
> - under AFS, root can steal tokens too (yes, but by having to find them
> in the kernel memory, which is a quite more complex job).
>
> Do people here who migrated to Kerberos5 have any workaround or opinion
> about this issue, or are they living happily with it?
>
> Frederic Gilbert.