On 8 January 1998 Ken Hornstein wrote;
Hi,
MS>> First off all, why doesn't kas look at the AFS token in the current
MS>> shell? The search order for password is;
MS>> 1: -admin switch
MS>> 2: Unix UID
MS>> I think it shoud be;
MS>> 1: -admin switch
MS>> 2: AFS token in the shell
MS>> 3: Unix UID
KH> Unfortunately, this isn't possible.
KH> When you use "klog", you're getting (essentially) a Kerberos service
KH> ticket for the afs service. However, when you run kas, you're getting
KH> a service ticket for the Authuser.Admin service. You can't use the
KH> AFS service ticket for talking to the kaserver - it simply won't
KH> recognize it.
I didn't say that the kas program should use the AFS service ticket, just
look in it to see for which password the kas program shall ask.
KH> Note that this is a deliberate design decision - otherwise someone
KH> coul come up to an unattended workstation and change a user's password
KH> without having to enter in the original password first.
Once again. In this part of my mail I just suggested that tha kas program
should look in the ticket, not use it in any way.
KH> If one of your AFS admins left their workstation unattended or used
KH> the amazingly insecure AFS token passing rsh, then an attacker could
KH> do all sorts of evil things with kas.
Yes, I know that.
KH> BTW, only a few of the AFS commands check the Unix userid ... and this
KH> is only done for the root vs non-root case. Certainly none of the
KH> commands that talk to other machines check the Unix userid.
Okey, I understand that some commands needs to know if the user is root or
not. But when kas asks me for my password it is more interesting to ask for
the password for the "owner" of the AFS service ticket.
MS>> The second question is about the "kas examine" command. Today
MS>> everyone always have to enter a password when they do an examine. I
MS>> don't like that.
KH> See above; you can't get around it (well ... that's not _exactly_
KH> true).
Transarc could rewrite the kas program. And my real question is if that
would be a sequrity problem or not.
MS>> You will ask me why. In our cell we don't use the Transarc AFS login
MS>> program, we are using a special version of XDM login and Athena
MS>> Kerberos telnet.
KH> It sounds like you should really be running a Kerberos KDC.
What I know about, there is no Krb V5 outside US with full encryption. And
for Krb V4 I think that the KA server have some extra features, like expire
date for the accounts. And of cause today we are running KA server, we
don't want to replace it if it isn't necessary.
MS>> So today the users don't get any warning messages before the
MS>> password expires. We have an idea of creating a shell script that do
MS>> a "kas examine <loginuser>" at logintime that views a warning
MS>> message. But today the users have to enter their own passwords to get
MS>> that type of scripts to work okey. And the users don't like to type
MS>> their passwords a second time they login.
MS>> The second thing is that we have some administative scripts that
MS>> needs to look in the KAS database. If I have a ADMIN token when I run
MS>> this type of script it would be much easier, today I have to enter my
MS>> password each time the script do an "kas examine".
KH> There _is_ a way around this.
KH> kas won't ask for a password if you already have a token for
KH> Authuser.Admin. But, AFAIK, there is no way (other than internally
KH> to kas) to get a service ticket for Authuser.Admin. So you would
KH> have to hack your login/script process to get an Authuser.Admin ticket
KH> and then you should be able to run "kas" without any problems. This
KH> has it's own wonderful security problems, though.
Or could it be possible that "kas examine" used the AFS service ticket
instead of the Authuser.Admin ticket? I think that all the other kas
commands should use the Authuser.Admin ticket. Just change the
impementation of "kas examine".
Would that kind of change open up a big sequrity hole or not?
Examine don't show any encrypted passwords, just the version number and the
checksum. You need to know the name of the instance you would like to
examine and so on.
So even if I forgot to lock my screen and some bad person started to use my
computer he shouldn't get to much information.
Or have I missed some important part here?
_\\|//_
(-0-0-)
/------------------------------ooO-(_)-Ooo-----------------------------\
| Magnus Sandberg Email: [EMAIL PROTECTED] http://www.it.kth.se/~mem |
| Systems admin, Royal Institute of Technology/Dep. of Teleinformatics |
| Phone: +46-8-752 14 46 FAX: +46-70-711 53 03 GSM: +46-70-716 62 06 |
\----------------------------------------------------------------------/
|| ||
ooO Ooo
