[OpenAFS] Kerberos 5 cache in /tmp
Derek Atkins
warlord@MIT.EDU
Wed, 07 Apr 2004 10:50:45 -0400
MIT has lived happily with it for almost two decades.
If you have multi-user machines, root is NECESSARILY a
trusted priviledge.
If you care that much you could:
kinit; aklog; kdestroy
But that would certainly annoy _ME_ as a user, as I use kerberos
for other applications than just AFS.
-derek
Frederic Gilbert <Frederic.Gilbert@inria.fr> writes:
> Hi,
>
> We use OpenAFS 1.2.10 on 3 DB and 4 FS servers, and are slowly migrating
> to Kerberos5 for authentication.
>
> We realized recently that, Kerberos5 credentials being stored in files
> in /tmp, anyone allowed to be root on a client was able to impersonate a
> connected AFS user by simply doing su, setenv KRB5CCNAME and aklog.
>
> We are very concerned about the security implications of this possibility.
> Looking through mailing lists archives, I could not find a lot of people
> bothered with this, and common answers were:
> - if you give the root password to some people, you're supposed to trust
> them (I don't agree, because root access to an AFS client is a limited
> priviledge and can be given with a lower level of confidence than e.g.
> AFS admin);
> - under AFS, root can steal tokens too (yes, but by having to find them
> in the kernel memory, which is a quite more complex job).
>
> Do people here who migrated to Kerberos5 have any workaround or opinion
> about this issue, or are they living happily with it?
>
> Frederic Gilbert.
>
>
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info
>
>
--
Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
Member, MIT Student Information Processing Board (SIPB)
URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH
warlord@MIT.EDU PGP key available