[466] in SIPB-AFS-requests
Re: machines in pts database?
daemon@ATHENA.MIT.EDU (Marc Horowitz)
Wed May 22 02:05:14 1991
To: yourmessageoftue@ATHENA.MIT.EDU, 52:27-0400.@21may9111.MIT.EDU
Cc: qjb@ATHENA.MIT.EDU, sipb-afsreq@ATHENA.MIT.EDU
In-Reply-To: [465] in SIPB-AFS-requests
Reply-To: Marc Horowitz <marc@MIT.EDU>
Date: Wed, 22 May 91 02:04:51 EDT
From: Marc Horowitz <marc@ATHENA.MIT.EDU>
>> This is very, very wrong. It means that the comprise of one AFS
>> server in a cell means that all servers in the cell have been
>> comprised. There is no reason that a comprise in b11 shound break the
>> security of machines in e40.
slave kerberos servers have the same master key as the kerberos
server, don't they? If you break into one AFS server (well, one prdb
server, anyway), you can steal the key for a bos superuser, and use
that to break into all the others. Also, afs servers use their own
kerberos database. The afs key is equivalent to the kerberos master
password. If kerberos weren't so hardwired <insert appropriate
gratuitous flame here>, then each server could have its own key, and a
list of servers it trusts. Of course, this means if you can violate
one, you can violate the others, and compromise those keys, too, so
you don't win anything.
>> Zephyr also loses in this fashion (in my opinion).
This is true. It would be possible for the servers to exchange my
session key securely. Then, violating one would only compromise
security until all the session keys expire. But this would require
changing the protocol. Consider it on the list of stuff to do in the
next version of the protocol :-)
Marc
