Tom Yu <[email protected]> writes: > Russ Allbery <[email protected]> writes:
>> Note, of course, that if you generally use Kerberos for authentication >> for your systems, your operations group is being ridiculous here. Any >> Kerberos KDC administrator could just change the password of one of the >> operations people and then gain root that way. > True, unless for some reason the ops people don't trust Kerberos for > authenticating logins to the host that runs the KDC. Even then, it's a serious uphill battle to protect against an actual attacker with access to the KDC. They can silently compromise the account of one of the people in operations and then Trojan ssh to sniff the root password, just to pick one example. Protecting yourself against attackers with KDC access is, at most sites that use Kerberos, a lost cause. > It's still a good security practice to avoid running any other services > on a KDC host though. Yeah, that plus the use of Kerberos for authentication anyway is why I've not only never seen any point in running production KDCs as non-root users, I've never seen any point in having anyone other than the KDCs administer the system on which the KDCs run. There's just no realistic security gain; all these people tend to be able to access each other's accounts with a modicum of work, so you may as well unify all the operations so that you can minimize the footprint that way. -- Russ Allbery ([email protected]) <http://www.eyrie.org/~eagle/> ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
