[36866] in Kerberos
Re: kadmin remote as a regular user
daemon@ATHENA.MIT.EDU (Greg Hudson)
Tue Mar 31 10:15:24 2015
Message-ID: <551AABE9.2080407@mit.edu>
Date: Tue, 31 Mar 2015 10:15:05 -0400
From: Greg Hudson <ghudson@mit.edu>
MIME-Version: 1.0
To: Rainer Krienke <krienke@uni-koblenz.de>, kerberos@mit.edu
In-Reply-To: <551A8B84.6080006@uni-koblenz.de>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On 03/31/2015 07:56 AM, Rainer Krienke wrote:
> I would like to achieve the following. A particular user say "john" logs
> in at a linux system or authenticates in apache against kerberos.
> Now I would like to allow this user "john" to run kadmin commands
> without entering any additional other password.
You are running into two semi-configured, semi-conventional behaviors:
1. By default, kadmin assumes you want to authenticate as username/admin.
2. By default, the KDC doesn't accept TGS requests for the kadmin
service; you have to get an initial ticket directory for the service.
Because of this, the kadmin client doesn't even try to make a TGS
request; it either makes an AS request or uses existing tickets.
My recommendation is that you don't fight these defaults, but use kinit
-S and kadmin -c to avoid having to enter a password for every operation:
kinit -S kadmin/admin -c /path/to/admin/ccache john/admin
kadmin -c /path/to/admin/ccache
(Probably with a bit of scripting or dotfiles on top for convenience.)
If you don't want to create /admin principals, you can use "-p john" to
force the use of the user's regular principal, but using separate /admin
principals is safer.
If you really want, it is possible to circumvent both defaults as follows:
1. With kadmin.local, "modprinc +allow_tgs_req kadmin/admin" and
similarly for kadmin/host.of.kadmin.server
2. On the client, run "kvno kadmin/admin" to explicitly get a kadmin
service ticket.
3. Run "kadmin -c $KRB5CCNAME -p john" to authenticate using the regular
ccache and principal name.
However, step 1 significantly changes the security properties of the
realm. In particular, it allows any attacker who gets ahold of a stolen
TGT, for any user, can change that user's password. The password-change
protocol will still require an initial ticket because there is an
explicit check within that part of kadmind, but the attacker can make
the change via the normal kadmin protocol.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
