On Tue, Oct 11, 2011 at 12:35 PM, Simo Sorce <[email protected]> wrote: > On Tue, 2011-10-11 at 08:55 -0700, Mike Spinzer wrote:
Kerberos is a network security protocol. It *assumes* and *requires* local security. You might say that Kerberos *extends* local security to the network. Kerberos is not a local security facility. Of course, Kerberos should not make local security weaker for using Kebreros. Suppose you were using something entirely different from Kerberos for network security. Say, SSH with public keys, or with plain passwords, or with SRP, or J-PAKE. Or TLS with user certificates, or PSK. Or whatever else. Whatever alternative you choose to use will have some credential (private keys, shared secrets such as passwords), and that credential will be as subject to theft as a Kerberos credential. Yeah, I know, I'm piling on. But it's important to state the local security requirement of all network security protocols explicitly. > I don't know if Ubuntu includes support, but you can try using the > kernel keyring to store credentials. That should make it more difficult > for an attacker to get access to keys, although not impossible I guess. If the attacker as full local access then the kernel keyrings must be assumed to be readable by the attacker. Even if they have much less than full local access. For example, if the attacker has access as the victim user. (Which is why there's no point storing large, unbounded objects, such as Kerberos ccaches, in a keyring. Smaller, *bounded* credentials are useful to store in keyrings but only doing so simplifies management, as there's no files to destroy on logout, for example.) Even if the attacker's level of access denies them direct read access to the credentials, if the attacker can use the credentials it's bad enough. Local security is a prerequisite for any network security protocol. Nico -- ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
