[OpenAFS] Redux: Linux: systemctl --user vs. AFS

Ken Hornstein kenh@cmf.nrl.navy.mil
Thu, 05 Aug 2021 15:21:56 -0400

>if [ ! $guard-against-system-accounts ]; then
>    export KRB5CCNAME=/path/to/cache-depending-on-$(id -u)

I understand that with newer version of systemd this is becoming more
common ... but can I offer up a cautionary tale?

We have been using Kerberos for a LONG time; over 20 years.  We are
by no means the oldest Kerberos users, but we've been around for a
good while and I've worked with large, diverse deployments.

A long time ago we ran into issues with widespread Kerberos ticket theft
from attackers, due to the quite-common usage at that time of Kerberos
tickets being stored in files.  The only countermeasure we were able to
develop was to completely move away from Kerberos tickes being stored
in files to IPC-based Kerberos credential caches that had basically the
same inheritance mechanism as AFS PAGs.  I wrote a custom credential
cache mechanism that was portable across Unix platforms that did this,
but in more recent years the availability of KEYRING on Linux and API on
MacOS X has made my credential cache obsolete, for which I am glad.

Obviously everyone needs to decide where they live on the
security/usability graph, but I would personally NEVER, EVER, in a
million years go back to file-based credential caches.  And in our
experience, this hasn't been necessary, at least not for 20 years.
That does come with the heavy caveat that we do not use any user-based
systemd services.  I'd rather develop some alternative to that than
go backwards in security, because issues with ticket theft are real
and I think it's only a matter of time before it becomes a larger issue.