Russ Allbery wrote:
> Yes, set the account NOTGS. kas setf <username> notgs. This disables
> their ability to obtain a TGT from the Kerberos server. (Note that this
> assumes that you're running the AFS kaserver; you may need to use a
> different procedure if you're running a separate Kerberos realm.)
Along the same lines, you should consider setting the flags on *all* your
user accounts to prohibit the granting of service tickets for those
principals (NOSEAL, IIRC). Unless you're using zephyr or a similar
kerberized service, that is, and you need that functionality. If your only
kerberized service is AFS, then you should do as I suggest. The issue is a
pretty well known defect in K4, but there's no point in tipping off the
script kiddies, so pardon me if I don't go into more detail.
If you don't do this, then a moderately large cell can be cracked in minutes,
or less.
K4 is incredibly creaky, the only point in its favor is that there are so
many easier holes to attack in things like Internet Explorer and Outlook.
(It's possible that Transarc has addressed this flaw recently, but I think
I would have heard about it if they had. Given recent developments, it seems
increasingly unlikely. I hope I'm wrong.)
