Re: On shisa and its password disclosure.

[Mats Erik Andersson]

söndag den 28 oktober 2012 klockan 10:46 skrev Russ Allbery detta:
> Mats Erik Andersson <address@hidden> writes:
> 
> > I am somewhat disturbed by that fact that the superuser
> > is able to execute
> 
> >    # shisa -d --keys
> 
> > thereby gaining access to all passwords for all principals
> > of the running KDC.
> 
> The keys, or the passwords?  Not that it probably makes a lot of
> difference (although only being able to get the keys means that at least
> it's difficult to attack other realms where the user may reuse the
> password).

The execution of "shisa -d --keys address@hidden" will print the
password in clear text, which I find uncomforting. All the more
so since it is not at all needed in maintaining the keytab file.
I would have expected a dicotomy like used for shadow passwords,
where only a string hash is stored, not the plain text string.

That "shisa" exposes the salt and encryption key is acceptable
to me, since the latter is needed for the keytab, but printing
the passwords seems very backwards.

> > Contrast this to the situation with MIT Kerberos or Heimdal,
> > where a selected administrator is entrusted with the power to
> > inspect such secrecies, which the superuser is unable to access,
> > unless he was able to snoop the administrator's password.
> 
> The superuser on the KDC can similarly retrieve the keys for any principal
> in the Kerberos KDC with both MIT and Heimdal, using kadmin -l (Heimdal)
> or kadmin.local (MIT).

Executing "kadmin.local: getprinc address@hidden" will not reveal the
clear text password, only basic information about the principal.
In my admittedly limited experience with MIT/Solaris, there has never
appeared a means for the administrator to make readable any clear
text passwords. Is there such a command?

Regards,
  Mats E A