Re: About how to protect network resources in LDAP environment?

[Russ Allbery <rra@debian.org>]

"Boyd Stephen Smith Jr." <bss@iguanasuicide.net> writes:
> On Saturday, August 28, 2010 20:29:50 you wrote:

>> Can't root just read/steal and even use sockets/fifos/pipes owned by
>> all other users?  Any Kerberos credentials used on the local system
>> would also be usable by root.

Correct.

> From what I understand, properly implemented, strong encryption is used to 
> make this impossible.

No, there's no way to make this impossible.

> I suppose it is possible for a userA, when authenticating from a system
> controlled by userB, can have their credentials "stolen" by userB -- it
> seems those credentials would be in plaintext for some period of time on
> userB's system.

Or you can just steal the ticket cache after it was obtained.  It's not as
good as stealing the password, but it's easier and lets you pretend to be
them to any Kerberos-authenticated resource for the remaining lifetime of
the ticket.

> Kerberos isn't designed against this, you should only get your TGT
> (i.e. do your authentication) from a system your trust or control.  Your
> TGT will be used to generate secure authentication tokens for using a
> service on all the untrusted systems that can speak to the Kerberos
> "domain".  Those authentication tokens time out, and can't be used for
> generating a TGT (or any other service besides the one they were
> generated for).

The problem is that you frequently need to access Kerberized resources
from other hosts (such as NFS stores), at which point you forward your
Kerberos tickets, and then they're vulnerable to theft by root on whatever
system you forward them to.

Any place your TGT is stored is vulnerable to root accounts on that
system.  Kerberos doesn't help with that problem, although can limit how
many places that is by not forwarding your ticket except when it's
absolutely necessary.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>