Skip Menu |

Download (untitled) / with headers
text/plain 2.9KiB
From mhpower@MIT.EDU Sun Nov 10 22:10:29 1996
Received: from MIT.EDU (PACIFIC-CARRIER-ANNEX.MIT.EDU []) by rt-11.MIT.EDU (8.7.5/8.7.3) with SMTP id WAA17343 for <bugs@RT-11.MIT.EDU>; Sun, 10 Nov 1996 22:10:29 -0500
id AA29840; Sun, 10 Nov 96 22:10:28 EST
Received: by yaz-pistachio.MIT.EDU (5.57/4.7) id AA09548; Sun, 10 Nov 96 22:10:27 -0500
Message-Id: <9611110310.AA09548@yaz-pistachio.MIT.EDU>
Date: Sun, 10 Nov 96 22:10:27 -0500
From: mhpower@MIT.EDU
Reply-To: mhpower@MIT.EDU
To: krb5-bugs@MIT.EDU
Subject: login.krb5 behavior with an accidentally missing keytab
X-Send-Pr-Version: 3.99

Show quoted text
>Number: 173
>Category: krb5-appl
>Synopsis: login.krb5 behavior with an accidentally missing keytab
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: krb5-unassigned
>State: open
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Sun Nov 10 22:11:01 EST 1996
>Originator: Matt Power
Show quoted text
>Release: 1.0-development

System: ULTRIX yaz-pistachio 4.2 0 RISC
Machine: mips
Show quoted text
The description of verifying the user's ticket-granting ticket
includes the text "If the host/<host> service is unknown
(i.e., the local keytab doesn't have it), let her in." and
"If the rcmd.<host> service is unknown (i.e., the local
srvtab doesn't have it), let her in." I believe it is
important to provide a way to configure login.krb5 such that
the keytab (and srvtab, if appropriate) file must exist.
Otherwise, the security provided through use of the keytab
file may be lost if the keytab file was supposed to exist
but was removed by some mechanism other than an authorized
person explicitly deciding to remove it. For example, the
keytab file might go away during a run of fsck. Also, there
are occasionally security holes in software unrelated to
Kerberos that allow ordinary users to remove files owned by
root, but otherwise don't grant the users root access (e.g.,
this problem exists in some versions of lpr, and in various
other programs that are attempting to delete only certain
files under /tmp/). Because of these two reasons, it's often
not a good idea to disable a security feature on the basis of
finding that a particular file does not exist.

Show quoted text

Presumably the problem could be examined by simply deleting
or renaming a system's keytab file. If a more realistic
scenario is needed, install unreliable disk hardware or an
appropriately broken version of lpr.

Show quoted text
I think the best solution is for the option to require that
the keytab file exists and contains the relevant key. Another
possibility is to require only that the keytab file exists
and has non-zero length. In this latter case, it may be
sufficiently unlikely that the keytab file accidentally has
contents that weren't intended by the system administrator.
Show quoted text
login.krb5 now uses the krb5_get_init_creds API, which looks
for a configuration option in krb5.conf; if that
option is set then the keytab is required to be present
and contain the service.