[29967] in Kerberos
Re: Kerberos Ldap Integration
daemon@ATHENA.MIT.EDU (Derek Harkness)
Mon Jun 16 10:42:18 2008
From: Derek Harkness <dharknes@umd.umich.edu>
Mime-Version: 1.0 (Apple Message framework v1018.1)
To: kerberos@mit.edu
Message-Id: <A638AC1A-18E9-42C0-91B2-386506B010AE@umd.umich.edu>
Date: Mon, 16 Jun 2008 07:40:46 -0700
In-Reply-To: <g2mal0$5pf$1@news.lrz-muenchen.de>
Content-Type: multipart/mixed; boundary="===============1701253610=="
Errors-To: kerberos-bounces@mit.edu
--===============1701253610==
Content-Type: multipart/signed; boundary=Apple-Mail-7--903154412;
protocol="application/pkcs7-signature"; micalg=sha1
--Apple-Mail-7--903154412
Content-Transfer-Encoding: 7bit
Content-Type: text/plain;
delsp=yes;
charset=us-ascii;
format=flowed
True, I was going with the case of a lab of single person workstations
in which no other creds would exist on the system. So root wouldn't
be able to establish the creds.
In the other case stealing the creds as root is certainly more
difficult then accidental usage of root privileges. Again going with
the lab problem posted here.
Derek
On Jun 10, 2008, at 9:37 AM, Sebastian Hanigk wrote:
> "Eric Hill" <eric@ijack.net> writes:
>
>> What you are trying to prevent is a root user on system A accessing
>> user data on system B without knowing the users' credentials. This
>> is
>> precisely what Kerberos prevents. System B will not accept inbound
>> sessions without a Kerberos ticket, and it is impossible for a root
>> user on system A to gain a TGT for the user without knowing the
>> users'
>> credentials.
>
> Not true in general. The superuser has often the capability to read
> the
> user's credential cache (be it a plain file or something memory based)
> and could therefore impersonate the respective user - if already a
> valid
> ticket has been acquired by the user.
>
>
> Sebastian
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
--Apple-Mail-7--903154412--
--===============1701253610==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
--===============1701253610==--
