Mats Erik Andersson <g...@gisladisker.se> writes: > I am somewhat disturbed by that fact that the superuser > is able to execute
> # shisa -d --keys > thereby gaining access to all passwords for all principals > of the running KDC. The keys, or the passwords? Not that it probably makes a lot of difference (although only being able to get the keys means that at least it's difficult to attack other realms where the user may reuse the password). > Contrast this to the situation with MIT Kerberos or Heimdal, > where a selected administrator is entrusted with the power to > inspect such secrecies, which the superuser is unable to access, > unless he was able to snoop the administrator's password. The superuser on the KDC can similarly retrieve the keys for any principal in the Kerberos KDC with both MIT and Heimdal, using kadmin -l (Heimdal) or kadmin.local (MIT). It's very difficult in a traditional UNIX security model to protect anything against the superuser, of course. If all else fails, one can always just read the disk database files directly. Improved security probably requires eliminating the traditional security model via something like SELinux. -- Russ Allbery (r...@stanford.edu) <http://www.eyrie.org/~eagle/> _______________________________________________ Help-shishi mailing list Help-shishi@gnu.org https://lists.gnu.org/mailman/listinfo/help-shishi