[30216] in Kerberos
"Stealing" the credential cache
daemon@ATHENA.MIT.EDU (E. Braun)
Wed Aug 13 09:16:17 2008
From: "E. Braun" <p2h56vc7@minet.uni-jena.de>
Followup-To: alt.filesystems.afs
Date: Wed, 13 Aug 2008 11:55:52 +0000 (UTC)
Message-ID: <slrnfbtflukga5iu8.656a.p2h56vc7@pax07e3.mipool.uni-jena.de>
X-Complaints-To: abuse@uni-jena.de
To: kerberos@mit.edu
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
The system is Debian Linux (Etch, krb-user 1.4.4-7etch5):
I didn't expect, that the root user can simply copy the credentials cache
file and re-use the ticket:
--------------------------------------------------------------------------
# aklog
aklog: Couldn't get xxxxxxx.de AFS tickets:
aklog: No credentials cache found while getting AFS tickets
# cat /afs/xxxxxxxx/user/XXXXX/.bash_history
cat: /afs/xxxxxxxx/user/XXXXX/.bash_history: Permission denied
# whoami
root
# ls -l /tmp/krb5cc_*
-rw------- 1 XXXXX users 894 2008-08-13 09:32 /tmp/krb5cc_556
# cp /tmp/krb5cc_556 /tmp/krb5cc_0
# klist -f
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: XXXXX@XXXXXXX.DE
Valid starting Expires Service principal
08/13/08 09:31:45 08/13/08 19:31:45 krbtgt/XXXXXXX.DE@XXXXXXX.DE
renew until 08/21/08 09:31:45, Flags: FPRIA
08/13/08 09:31:45 08/13/08 19:31:45 afs@XXXXXXX.DE
renew until 08/21/08 09:31:45, Flags: FPRAT
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
# aklog
# head -n1 /afs/xxxxxxx/user/XXXXX/.bash_history
[protected data from username XXXXX]
--------------------------------------------------------------------------
Is this the expected behaviour, that the root user of a client (the user has
no interactive access to the Kerberos and AFS servers) can use a copy of the
credentials cache for getting an afs token?
Thank you,
Erik
(Followup-To: alt.filesystems.afs)
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
