> A Debian user requested that krb5kdc and kadmind support dropping
> privileges after binding to network ports and run as a non-root user
> with access to the KDC database.  This isn't particularly compelling  
> for
> sites where the KDC holds the keys to everything anyway, but if one is
> using a KDC for a guest realm, for a specific purpose, or in some  
> other
> more limited situation, this provides some additional security
> protection.  It also provides some protection against unsophisticated
> attackers who know how to use a root exploit but who don't have the
> resources or knowledge to make use of access to the KDC database.
>
> See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=477309 for the
> original report.

True, after binding ports we may not need privileges.  Note, too,  
though, that with SRV records or config file specs you can specify a  
non-privileged port for clients to talk to, and run the KDC programs  
entirely without privileges.  That's how we do our basic testing.

Unfortunately, I've heard that Microsoft clients ignore the port  
number indicated in SRV records and always use port 88, so if Windows  
clients are an issue, it could be a problem.  A firewall config on the  
KDC that redirects UDP port 88 to whatever non-privileged port could  
help with that, too, though it's kind of an ugly workaround.  And if  
anyone puts a port-88 hole in their company firewall for Kerberos, it  
may still block Kerberos traffic to another randomly chosen port.

(And yes, I agree with Russ's assessment in his message in the Debian  
tracking system, that it's probably going to be low-priority for us,  
but a good patch would be welcome.)

-- 
Ken Raeburn, Senior Programmer
MIT Kerberos Consortium