On 10/11/2011 11:55 AM, Mike Spinzer wrote: > I set up the MIT Kerberos in my network (mainly compounded of Ubuntu > servers), and it's working fine. My concern is now to prevent that if an > attacker manages to be root on one server, he could after compromise other > servers. Some of the users need to have root access on several servers; By > now, they connect to servers through SSH with a forwardable ticket, that they > can use either to bounce on another server or to become root with ksu without > entering any password (so that they never enter their password on a server > that could have been compromised). > However, the problem is that if an attacker is root on one server, he can > easily steal other users credentials (stored by now in files in /tmp) and > connect and become root on other servers.
It doesn't really matter how credentials are stored. All data passing through a compromised server is subject to theft. Allowing users to "bounce" from server to server is fundamentally at odds with containing the effect of a server compromise. I believe the only ways to mitigate this risk are: 1. Stop forwarding TGTs around. Allow direct root login by users authorized to do so (ideally using separate username/root principals). 2. Reduce the maximum ticket lifetime. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
