Re: On shisa and its password disclosure.

[Russ Allbery]

Mats Erik Andersson <address@hidden> writes:

> I am somewhat disturbed by that fact that the superuser
> is able to execute

>    # shisa -d --keys

> thereby gaining access to all passwords for all principals
> of the running KDC.

The keys, or the passwords?  Not that it probably makes a lot of
difference (although only being able to get the keys means that at least
it's difficult to attack other realms where the user may reuse the
password).

> Contrast this to the situation with MIT Kerberos or Heimdal,
> where a selected administrator is entrusted with the power to
> inspect such secrecies, which the superuser is unable to access,
> unless he was able to snoop the administrator's password.

The superuser on the KDC can similarly retrieve the keys for any principal
in the Kerberos KDC with both MIT and Heimdal, using kadmin -l (Heimdal)
or kadmin.local (MIT).

It's very difficult in a traditional UNIX security model to protect
anything against the superuser, of course.  If all else fails, one can
always just read the disk database files directly.  Improved security
probably requires eliminating the traditional security model via something
like SELinux.

-- 
Russ Allbery (address@hidden)             <http://www.eyrie.org/~eagle/>