From mhpower@MIT.EDU Sun Nov 10 22:10:29 1996
Received: from MIT.EDU (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.69.0.28]) by rt-11.MIT.EDU (8.7.5/8.7.3) with SMTP id WAA17343 for <bugs@RT-11.MIT.EDU>; Sun, 10 Nov 1996 22:10:29 -0500
Received: from YAZ-PISTACHIO.MIT.EDU by MIT.EDU with SMTP
id AA29840; Sun, 10 Nov 96 22:10:28 EST
Received: by yaz-pistachio.MIT.EDU (5.57/4.7) id AA09548; Sun, 10 Nov 96 22:10:27 -0500
Message-Id: <9611110310.AA09548@yaz-pistachio.MIT.EDU>
Date: Sun, 10 Nov 96 22:10:27 -0500
From: mhpower@MIT.EDU
Reply-To: mhpower@MIT.EDU
To: krb5-bugs@MIT.EDU
Subject: login.krb5 behavior with an accidentally missing keytab
X-Send-Pr-Version: 3.99
System: ULTRIX yaz-pistachio 4.2 0 RISC
Machine: mips
includes the text "If the host/<host> service is unknown
(i.e., the local keytab doesn't have it), let her in." and
"If the rcmd.<host> service is unknown (i.e., the local
srvtab doesn't have it), let her in." I believe it is
important to provide a way to configure login.krb5 such that
the keytab (and srvtab, if appropriate) file must exist.
Otherwise, the security provided through use of the keytab
file may be lost if the keytab file was supposed to exist
but was removed by some mechanism other than an authorized
person explicitly deciding to remove it. For example, the
keytab file might go away during a run of fsck. Also, there
are occasionally security holes in software unrelated to
Kerberos that allow ordinary users to remove files owned by
root, but otherwise don't grant the users root access (e.g.,
this problem exists in some versions of lpr, and in various
other programs that are attempting to delete only certain
files under /tmp/). Because of these two reasons, it's often
not a good idea to disable a security feature on the basis of
finding that a particular file does not exist.
Presumably the problem could be examined by simply deleting
or renaming a system's keytab file. If a more realistic
scenario is needed, install unreliable disk hardware or an
appropriately broken version of lpr.
the keytab file exists and contains the relevant key. Another
possibility is to require only that the keytab file exists
and has non-zero length. In this latter case, it may be
sufficiently unlikely that the keytab file accidentally has
contents that weren't intended by the system administrator.
Received: from MIT.EDU (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.69.0.28]) by rt-11.MIT.EDU (8.7.5/8.7.3) with SMTP id WAA17343 for <bugs@RT-11.MIT.EDU>; Sun, 10 Nov 1996 22:10:29 -0500
Received: from YAZ-PISTACHIO.MIT.EDU by MIT.EDU with SMTP
id AA29840; Sun, 10 Nov 96 22:10:28 EST
Received: by yaz-pistachio.MIT.EDU (5.57/4.7) id AA09548; Sun, 10 Nov 96 22:10:27 -0500
Message-Id: <9611110310.AA09548@yaz-pistachio.MIT.EDU>
Date: Sun, 10 Nov 96 22:10:27 -0500
From: mhpower@MIT.EDU
Reply-To: mhpower@MIT.EDU
To: krb5-bugs@MIT.EDU
Subject: login.krb5 behavior with an accidentally missing keytab
X-Send-Pr-Version: 3.99
Show quoted text
>Number: 173
>Category: krb5-appl
>Synopsis: login.krb5 behavior with an accidentally missing keytab
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: krb5-unassigned
>State: open
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Sun Nov 10 22:11:01 EST 1996
>Last-Modified:
>Originator: Matt Power
>Organization:
mit>Category: krb5-appl
>Synopsis: login.krb5 behavior with an accidentally missing keytab
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: krb5-unassigned
>State: open
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Sun Nov 10 22:11:01 EST 1996
>Last-Modified:
>Originator: Matt Power
>Organization:
Show quoted text
>Release: 1.0-development
>Environment:
>Environment:
System: ULTRIX yaz-pistachio 4.2 0 RISC
Machine: mips
Show quoted text
>Description:
The description of verifying the user's ticket-granting ticketincludes the text "If the host/<host> service is unknown
(i.e., the local keytab doesn't have it), let her in." and
"If the rcmd.<host> service is unknown (i.e., the local
srvtab doesn't have it), let her in." I believe it is
important to provide a way to configure login.krb5 such that
the keytab (and srvtab, if appropriate) file must exist.
Otherwise, the security provided through use of the keytab
file may be lost if the keytab file was supposed to exist
but was removed by some mechanism other than an authorized
person explicitly deciding to remove it. For example, the
keytab file might go away during a run of fsck. Also, there
are occasionally security holes in software unrelated to
Kerberos that allow ordinary users to remove files owned by
root, but otherwise don't grant the users root access (e.g.,
this problem exists in some versions of lpr, and in various
other programs that are attempting to delete only certain
files under /tmp/). Because of these two reasons, it's often
not a good idea to disable a security feature on the basis of
finding that a particular file does not exist.
Show quoted text
>How-To-Repeat:
Presumably the problem could be examined by simply deleting
or renaming a system's keytab file. If a more realistic
scenario is needed, install unreliable disk hardware or an
appropriately broken version of lpr.
Show quoted text
>Fix:
I think the best solution is for the option to require thatthe keytab file exists and contains the relevant key. Another
possibility is to require only that the keytab file exists
and has non-zero length. In this latter case, it may be
sufficiently unlikely that the keytab file accidentally has
contents that weren't intended by the system administrator.
Show quoted text
>Audit-Trail:
>Unformatted:
>Unformatted: