[95] in Kerberos
Re: knetd
jon@ATHENA.MIT.EDU (jon@ATHENA.MIT.EDU)
Sun Aug 9 21:25:49 1987
From wesommer@ATHENA.MIT.EDU Thu Sep 18 15:36:51 1986
To: saltzer@athena.mit.edu
Cc: kerberos@athena.mit.edu
Subject: Re: knetd
In-Reply-To: Your message of Thu, 18 Sep 86 15:18:20 EDT.
<8609181918.AA24932@HERACLES>
Date: Thu, 18 Sep 86 15:34:39 -0500
From: wesommer@ATHENA.MIT.EDU
The original *ticket* is in /tmp/tkt_[foo] on the client side of the
connection, and thus is inaccessible from the server side (unless, of
course, the client is running some sort of file server and the ticket
file is readable to the server.... something which shouldn't happen).
The ticket is rather sensitive information; it permits anyone who
possesses it to impersonate the principal who owns it for one
particular instance of a service. Therefore, it does not leave the
workstation.
The *authenticator* (built with mk_ap_req from the ticket file) passed
over is usually kept only in the address space of the server process.
It is only valid from one internet address, for one user, for about
five minutes (+/- clock skew).
Passing the authenticated name to the server process should be done
carefully; there should not be any way for randoms executing processes
on the server (which, under many circumstances, will be a timesharing
machine to some extent) to spoof the server process by calling it with
a forged principal name; in particular, the process recieving the name
should probably verify that it was invoked by a root process (if the
daemon happens to be set-uid), and that it happens to be connected on
an internet domain socket to the host where the user was coming from.
- Bill
