[OpenAFS] Redux: Linux: systemctl --user vs. AFS
spacefrogg-openafs@spacefrogg.net
spacefrogg-openafs@spacefrogg.net
Sat, 14 Aug 2021 21:20:37 +0000 (UTC)
The KEYRING vulnerability was CVE2016-0728. It is obviously fixed nowadays.=
So, I was not referring to a principle problem.
Having tickets in world-writable locations is a stealing issue. The attacke=
r would try to precreate the well-known ticket cache file with attackers ac=
cess rights. This lead Ubuntu et al. to use harder to guess variable ticket=
cache files. The problem is the library-based distributed implementation o=
f Kerberos client side. When there is no known trusted controlling process =
to create the ticket cache file in the first place, it is hard to establish=
trust.
Our solution was to resort to a trusted service for ticket cache management=
in the form of sssd and a patched openssh. The user, through the client li=
brary, is not able to create new ticket caches in the well-known location, =
as it is only writable by root.
I would expect openssh to need a likewise patch to work with KEYRING ticket=
caches.
=E2=80=93Michael