[7090] in Kerberos
Re: Problems running gss-server example as non-root
daemon@ATHENA.MIT.EDU (Barry Jaspan)
Mon Apr 15 12:20:46 1996
Date: Mon, 15 Apr 96 12:05:17 EDT
From: Barry Jaspan <bjaspan@MIT.EDU>
To: hartmans@MIT.EDU
Cc: edhill@strobe.weeg.uiowa.edu, kerberos@MIT.EDU
In-Reply-To: <tslzq8deau8.fsf@tertius.mit.edu> (message from Sam Hartman on 15
Apr 1996 12:00:31 -0400)
Sure is. In fact, there is a convenient environment variable
that sets the default in our current code; I believe this dates back to
Beta5. Try setting KRB5_KTNAME=FILE:/somewhewhere.
Marc and I had an argument some time ago about whether it was a a good
idea to allow an environment variable to set the keytab, and he
eventually convinced me it was a bad idea. There have been numerous
attacks in the past that allowed an attacker to set arbitrary
environment variables for servers executing on remote machines. These
holes tend to be fixed by enumerating the set of environment variables
that should not be settable remotely. It is a good bet that
KRB5_KTNAME is not on any of those lists, so it may be settable. An
attacker could set the variable to point to a keytab that he controls,
so he would know the key and therefore be able to break into the
service.
I therefore suggest that the default keytab NOT be settable by an
environment variable. Changing the default should require explicit
action on the part of the program accessing the keytab (for example, a
response to a command-line argument).
Barry
