[OpenAFS] Kerberos 5 cache in /tmp

Jeffrey Hutzelman jhutz@cmu.edu
Wed, 07 Apr 2004 15:41:05 -0400

On Wednesday, April 07, 2004 15:41:45 +0200 Frederic Gilbert 
<Frederic.Gilbert@inria.fr> wrote:

> We use OpenAFS 1.2.10 on 3 DB and 4 FS servers, and are slowly migrating
> to Kerberos5 for authentication.
> We realized recently that, Kerberos5 credentials being stored in files
> in /tmp, anyone allowed to be root on a client was able to impersonate a
> connected AFS user by simply doing su, setenv KRB5CCNAME and aklog.
> We are very concerned about the security implications of this possibility.
> Looking through mailing lists archives, I could not find a lot of people
> bothered with this, and common answers were:
> - if you give the root password to some people, you're supposed to trust
> them (I don't agree, because root access to an AFS client is a limited
> priviledge and can be given with a lower level of confidence than e.g.
> AFS admin);
> - under AFS, root can steal tokens too (yes, but by having to find them
> in the kernel memory, which is a quite more complex job).
> Do people here who migrated to Kerberos5 have any workaround or opinion
> about this issue, or are they living happily with it?

This property is not new with krb5.  It follows directly from the UNIX 
security architecture.

If you do not trust the people who have privileged access to your machine, 
then you have already lost.

-- Jeffrey T. Hutzelman (N3NHS) <jhutz+@cmu.edu>
   Sr. Research Systems Programmer
   School of Computer Science - Research Computing Facility
   Carnegie Mellon University - Pittsburgh, PA