[OpenAFS] Re: foreign-realm members of system:administrators have weakened powers?
Fri, 27 Jan 2006 10:54:40 -0500
>Indeed, it should. What Russ is alluding to here is the fact that most
>aklog's determine what realm to use by applying the normal Kerberos
>host-to-realm mapping on the hostname of one of the DB servers. Of course,
>this introduces all sorts of security issues related to trusting the names
>in AFSDB records, but that's been true for a while.
You know, I've never been happy that aklog does that (I can't take all
the blame for that one; it was like that when I first got aklog). I
understand why it was done, but it was always a kludge.
What do people think about the idea of having an AFS RPC which said,
"Hey, what's your Kerberos realm?" This would have to be done
unauthenticated of course, so I don't see it being any better from a
security standpoint, but it would solve this particular problem, and it
really makes more sense.
(Since you don't forward TGTs to AFS fileservers, I don't view it as a
huge problem .... I admit it's not ideal and depending on what you do
with AFS I can think of some interesting possible attacks, but it's
certainly not worse than anything people are doing now).