[33242] in Kerberos
Re: Running Kerberos as a different user than root
daemon@ATHENA.MIT.EDU (Tom Yu)
Wed Mar 2 16:58:50 2011
To: Russ Allbery <rra@stanford.edu>
From: Tom Yu <tlyu@mit.edu>
Date: Wed, 02 Mar 2011 16:58:42 -0500
In-Reply-To: <87hbblurmp.fsf@windlord.stanford.edu> (Russ Allbery's message of
"Wed, 02 Mar 2011 13:41:50 -0800")
Message-ID: <ldvvd01w5f1.fsf@cathode-dark-space.mit.edu>
MIME-Version: 1.0
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Russ Allbery <rra@stanford.edu> writes:
> Dave <steiner.dave@gmail.com> writes:
>
>> We've been running Kerberos for a number of years. We've always run all
>> the processes (including kprop, kadmin, etc) as root. A new group has
>> taken over running these machines and don't want to give the Kerberos
>> support people root access. I've looked around but I can't find out if
>> Kerberos can run as a non-root user.
>
> No reason that I can see provided that you find a way for the KDC to bind
> to port 88 before dropping privileges. But I don't think the code has any
> built-in way of doing that other than starting the KDC as root.
You can also run krb5kdc on an unprivileged port without running as
root, but that could require DNS SRV records or explicit configuration
on the clients.
> Note, of course, that if you generally use Kerberos for authentication for
> your systems, your operations group is being ridiculous here. Any
> Kerberos KDC administrator could just change the password of one of the
> operations people and then gain root that way.
True, unless for some reason the ops people don't trust Kerberos for
authenticating logins to the host that runs the KDC. It's still a
good security practice to avoid running any other services on a KDC
host though.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
