Root can steal peoples creds too, joe user's tgt is in a cache file that root can use. So root can be joe on the network

Sent from my GoodLink synchronized handheld (www.good.com)


-----Original Message-----
From: Derek Harkness [mailto:dharknes@umd.umich.edu]
Sent: Tuesday, June 10, 2008 07:57 AM Pacific Standard Time
To: Rodrigo Castro
Cc: Daniel Savard; kerberos@mit.edu
Subject: Re: Kerberos Ldap Integration

The general answer is no. The more specific answer is mostly no.
Anyone with root can su to any other account on the system, this
include ldap provided accounts. But even root can't obtain another
user's kerberos creds without their password, key, or root access to
the KDC. So as long as you services require kerberos then it doesn't
matter is root can su to other user (well it does but it less
damaging). I would recommend not using NFS for network shares or
NFSv4 with krb is you do. I would also require users to reenter their
password to change anything in the ldap directory.

Since you can't prevent this it really better to just design around it.

Derek Harkness
University of Michigan-Dearborn
Data Security Analyst


On Jun 10, 2008, at 7:06, Rodrigo Castro wrote:

> I guess I haven't made myself clear. In my work environment we have
> many
> labs. Some of them have root priveleges to administrate their own
> lab. So
> with their root account they can become any ldapuser. This is
> undesirable.
> Is there any kerberos/ldap configuration to disable this?
>
> On Tue, Jun 10, 2008 at 10:28 AM, Daniel Savard
> >

> wrote:
>
>> You cannot prevent root to su to any other local user. This is why
>> root is
>> called a superuser. This has nothing to do with Kerberos or LDAP,
>> this is
>> an
>> OS issue. If the idea is to prevent access by the sysadmin to the
>> ldapuser,
>> you should simply be the sysadmin yourself. If you don't trust your
>> sysadmin
>> I fear you have no other choice than being it.
>>
>> 2008/6/10 Rodrigo Castro :
>>
>>> Hi, I don't know if this is the right place to ask, but I've been

>> striving
>>> to prevent local root su ldapuser, although failed so far. I've
>>> already
>>> configured kerberos to work with ldap following this page
>>> http://www.bayour.com/LDAPv3-HOWTO.html
>>> Any help is appreciated.
>>>
>>> On Thu, May 29, 2008 at 10:37 AM, gaurav bagga >>>
>>> wrote:
>>>
>>>> Hi Turbo,
>>>>
>>>> Thanks for the link...
>>>> I am able to link ldap and kerberos, I can add principals from
>>>> kadmin

>> and
>>>> they get added in ldap.
>>>>
>>>> But one problem still remains.
>>>> I want to mix in Kerberos principal attributes to a directory
>>>> entry of
>>> the
>>>> people objectclass which has usserPassword. I want this password
>>>> to be
>>> used
>>>> by kdc.
>>>>
>>>> Is such a thing possible? I went through the schema and found that
>>>> 'krbUPEnabled' helps in achieving this but how can one set this
>>> attribute.
>>>>
>>>> I am fairly new to this kerberos and ldap stuff so excuse me if I
>>>> ask
>>>> something thats silly.
>>>>
>>>> If someone has to automate the process of adding principals what
>>>> are

>> the
>>>> possible solutions?
>>>> Using scripts? Is that a good way ?
>>>>
>>>> Thanks and Regards,
>>>> Gaurav
>>>>
>>>> On Thu, May 29, 2008 at 1:45 AM, Turbo Fredriksson >>>> >
>>>> wrote:
>>>>
>>>>>>>>>> "gaurav" == gaurav bagga writes:
>>>>>
>>>>> gaurav> Hi all, I am trying to integrate Kerberos and Ldap but
>>>>> not
>>>>> gaurav> happy with what I have achieved till now.I'll really
>>>>> gaurav> appreciate if any one can help/guide by giving pointers
>>>>> gaurav> towards *good articles *which give information regarding
>>>>> gaurav> the steps to be performed in doing the same.
>>>>>
>>>>> Have a look at http://bayour.com/LDAPv3-HOWTO.html
>>>>>
>>>> ________________________________________________
>>>> Kerberos mailing list Kerberos@mit.edu
>>>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>>>
>>>
>>>
>>>
>>> --
>>> __________________________________
>>> Rodrigo de Castro Cosme
>>> Ciência da Computação - Universidade Federal do Espírito Santo
>>> Suporte mailing list - suporte@inf.ufes.br
>>> MSN - rdccosmo@gmail.com
>>> ________________________________________________
>>> Kerberos mailing list Kerberos@mit.edu
>>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>>

>>
>>
>>
>> --
>> -----------------
>> Daniel Savard
>> ________________________________________________
>> Kerberos mailing list Kerberos@mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>

>
>
>
> --
> __________________________________
> Rodrigo de Castro Cosme
> Ciência da Computação - Universidade Federal do Espírito Santo
> Suporte mailing list - suporte@inf.ufes.br
> MSN - rdccosmo@gmail.com
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos

________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos