söndag den 28 oktober 2012 klockan 10:46 skrev Russ Allbery detta: > Mats Erik Andersson <g...@gisladisker.se> writes: > > > I am somewhat disturbed by that fact that the superuser > > is able to execute > > > # shisa -d --keys > > > thereby gaining access to all passwords for all principals > > of the running KDC. > > The keys, or the passwords? Not that it probably makes a lot of > difference (although only being able to get the keys means that at least > it's difficult to attack other realms where the user may reuse the > password).
The execution of "shisa -d --keys u...@ex.org" will print the password in clear text, which I find uncomforting. All the more so since it is not at all needed in maintaining the keytab file. I would have expected a dicotomy like used for shadow passwords, where only a string hash is stored, not the plain text string. That "shisa" exposes the salt and encryption key is acceptable to me, since the latter is needed for the keytab, but printing the passwords seems very backwards. > > Contrast this to the situation with MIT Kerberos or Heimdal, > > where a selected administrator is entrusted with the power to > > inspect such secrecies, which the superuser is unable to access, > > unless he was able to snoop the administrator's password. > > The superuser on the KDC can similarly retrieve the keys for any principal > in the Kerberos KDC with both MIT and Heimdal, using kadmin -l (Heimdal) > or kadmin.local (MIT). Executing "kadmin.local: getprinc user@SOL" will not reveal the clear text password, only basic information about the principal. In my admittedly limited experience with MIT/Solaris, there has never appeared a means for the administrator to make readable any clear text passwords. Is there such a command? Regards, Mats E A _______________________________________________ Help-shishi mailing list Help-shishi@gnu.org https://lists.gnu.org/mailman/listinfo/help-shishi
