>Here's a question. Lets say that we have a UNIX >computer that is in a Kerberos realm, and an untrusted >user has "root" access. If some other user happens to >log in to that computer, then the root user can >symbolically link their ticket cache file to that of >any user that has logged in. Thus, when root does a >'klist', it shows the credentials of that other user. >This seems like a huge bug (though it's due to how >UNIX was architected), because then root has >realm-wide access as this user without requiring a >password!
The basic problem here is that yes, root having access to a system gives them the same rights as any other user who's used Kerberos on that system (within the ticket lifetime window). But if you think about it, you'll find that the same is true of ANY other network security system; if an endpoint is compromised, you can subvert ANYTHING on that box (like ssh, ssl, etc etc). It's one of those things that's outside of the scope of Kerberos (and when you get down to it, any other network authentication system); that's a cop-out, yes, but it's the same cop-out everyone else uses, so I don't personally see it as a particular failing of Kerberos. At least Kerberos tickets will expire (but you could install a trojan copy of kinit, so I'm not sure there's that much gain). --Ken ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] http://mailman.mit.edu/mailman/listinfo/kerberos
