[OpenAFS] Kerberos 5 cache in /tmp

[Derek Atkins]

MIT has lived happily with it for almost two decades.
If you have multi-user machines, root is NECESSARILY a
trusted priviledge.

If you care that much you could:
   kinit; aklog; kdestroy

But that would certainly annoy _ME_ as a user, as I use kerberos
for other applications than just AFS.

-derek

Frederic Gilbert <Frederic.Gilbert@inria.fr> writes:

> Hi,
>
> We use OpenAFS 1.2.10 on 3 DB and 4 FS servers, and are slowly migrating
> to Kerberos5 for authentication.
>
> We realized recently that, Kerberos5 credentials being stored in files
> in /tmp, anyone allowed to be root on a client was able to impersonate a
> connected AFS user by simply doing su, setenv KRB5CCNAME and aklog.
>
> We are very concerned about the security implications of this possibility.
> Looking through mailing lists archives, I could not find a lot of people
> bothered with this, and common answers were:
> - if you give the root password to some people, you're supposed to trust
> them (I don't agree, because root access to an AFS client is a limited
> priviledge and can be given with a lower level of confidence than e.g.
> AFS admin);
> - under AFS, root can steal tokens too (yes, but by having to find them
> in the kernel memory, which is a quite more complex job).
>
> Do people here who migrated to Kerberos5 have any workaround or opinion
> about this issue, or are they living happily with it?
>
> Frederic Gilbert.
>
>
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info
>
>

-- 
       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
       warlord@MIT.EDU                        PGP key available