[38035] in Kerberos
Re: Is a keytab file encrypted?
daemon@ATHENA.MIT.EDU (Russ Allbery)
Fri Jul 21 17:55:38 2017
From: Russ Allbery <eagle@eyrie.org>
To: Charles Hedrick <hedrick@rutgers.edu>
In-Reply-To: <87eft9jw7u.fsf@hope.eyrie.org> (Russ Allbery's message of "Fri,
21 Jul 2017 14:50:29 -0700")
Date: Fri, 21 Jul 2017 14:55:27 -0700
Message-ID: <874lu5jvzk.fsf@hope.eyrie.org>
MIME-Version: 1.0
Cc: "kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Russ Allbery <eagle@eyrie.org> writes:
> Charles Hedrick <hedrick@rutgers.edu> writes:
>> * A kerberized service where the user registers that they want to be
>> able to do cron jobs on a given machine.
>> * A kerberized pam module that calls the same service and gets back
>> credentials, locked to the IP address, and at least by default not
>> forwardable.
> How does this address the problem raised on this thread? It's still the
> case that if you become root on the host, you can just steal the keytab
> used by that daemon and use it anywhere. This gives you enhanced
> protection if you trust the boundary between non-root users and root,
> but not if you don't trust the machine.
Oh, wait, I see -- it does transform part of the attack to occasional
on-line, since while you can steal the system keytab and request tickets
whenever you want, you can't get the long-lived keytab for the actual
target credential. (And presumably you can put monitoring and alerting
around the host keytab being used from unexpected places.)
Yeah, that's a partial security improvement.
--
Russ Allbery (eagle@eyrie.org) <http://www.eyrie.org/~eagle/>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
