[29955] in Kerberos
Re: Kerberos Ldap Integration
daemon@ATHENA.MIT.EDU (Scott Grizzard)
Wed Jun 11 17:32:30 2008
Message-ID: <484FF28B.7010900@scottgrizzard.com>
Date: Wed, 11 Jun 2008 08:43:07 -0700
From: Scott Grizzard <scott@scottgrizzard.com>
MIME-Version: 1.0
To: kerberos@mit.edu
In-Reply-To: <g2mal0$5pf$1@news.lrz-muenchen.de>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Yes, local users with su access could obtain a user's tgt, and then use
that ticket to access network services in the user's name. However, the
impostor could only use the tgt until the tickets expire, so there is a
limit to the damage. If you are worried about this in the labs, set the
tgt's for the "lower users" to expire after an hour or two.
Consider just giving them sudo access instead of full root access. Then,
redirect syslog to a system outside the admins' control. This way, all
sudo action is logged. Then, in your orientation, emphasize the fact
that, while they can do rouge stuff, it will be logged if they do. Ha ha ha.
You can also setup sudo to use ldap for sudoers, so the administrative
headache is not as large.
- Scott
Sebastian Hanigk wrote:
> "Eric Hill" <eric@ijack.net> writes:
>
>
>> What you are trying to prevent is a root user on system A accessing
>> user data on system B without knowing the users' credentials. This is
>> precisely what Kerberos prevents. System B will not accept inbound
>> sessions without a Kerberos ticket, and it is impossible for a root
>> user on system A to gain a TGT for the user without knowing the users'
>> credentials.
>>
>
> Not true in general. The superuser has often the capability to read the
> user's credential cache (be it a plain file or something memory based)
> and could therefore impersonate the respective user - if already a valid
> ticket has been acquired by the user.
>
>
> Sebastian
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
