Hi,
We've been running Kerberos for a number of years. We've always run
all the processes (including kprop, kadmin, etc) as root. A new group
has taken over running these machines and don't want to give the
Kerberos support people root access. I've looked around but I can't
find out if Kerberos can run as a non-root user.
thanks,
ds
--
Dave Steiner
Identity Management, ESS
Rutgers University, Office of Information Technology
|
|
0
|
|
|
|
Reply
|
 Dave
|
2/28/2011 6:23:26 PM |
|
Dave <steiner.dave@gmail.com> writes:
> We've been running Kerberos for a number of years. We've always run all
> the processes (including kprop, kadmin, etc) as root. A new group has
> taken over running these machines and don't want to give the Kerberos
> support people root access. I've looked around but I can't find out if
> Kerberos can run as a non-root user.
No reason that I can see provided that you find a way for the KDC to bind
to port 88 before dropping privileges. But I don't think the code has any
built-in way of doing that other than starting the KDC as root.
Note, of course, that if you generally use Kerberos for authentication for
your systems, your operations group is being ridiculous here. Any
Kerberos KDC administrator could just change the password of one of the
operations people and then gain root that way.
--
Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>
|
|
|
0
|
|
|
|
Reply
|
Russ
|
3/2/2011 9:41:50 PM
|
|
Russ Allbery <rra@stanford.edu> writes:
> Dave <steiner.dave@gmail.com> writes:
>
>> We've been running Kerberos for a number of years. We've always run all
>> the processes (including kprop, kadmin, etc) as root. A new group has
>> taken over running these machines and don't want to give the Kerberos
>> support people root access. I've looked around but I can't find out if
>> Kerberos can run as a non-root user.
>
> No reason that I can see provided that you find a way for the KDC to bind
> to port 88 before dropping privileges. But I don't think the code has any
> built-in way of doing that other than starting the KDC as root.
You can also run krb5kdc on an unprivileged port without running as
root, but that could require DNS SRV records or explicit configuration
on the clients.
> Note, of course, that if you generally use Kerberos for authentication for
> your systems, your operations group is being ridiculous here. Any
> Kerberos KDC administrator could just change the password of one of the
> operations people and then gain root that way.
True, unless for some reason the ops people don't trust Kerberos for
authenticating logins to the host that runs the KDC. It's still a
good security practice to avoid running any other services on a KDC
host though.
|
|
|
0
|
|
|
|
Reply
|
Tom
|
3/2/2011 9:58:42 PM
|
|
Tom Yu <tlyu@MIT.EDU> writes:
> Russ Allbery <rra@stanford.edu> writes:
>> Note, of course, that if you generally use Kerberos for authentication
>> for your systems, your operations group is being ridiculous here. Any
>> Kerberos KDC administrator could just change the password of one of the
>> operations people and then gain root that way.
> True, unless for some reason the ops people don't trust Kerberos for
> authenticating logins to the host that runs the KDC.
Even then, it's a serious uphill battle to protect against an actual
attacker with access to the KDC. They can silently compromise the account
of one of the people in operations and then Trojan ssh to sniff the root
password, just to pick one example. Protecting yourself against attackers
with KDC access is, at most sites that use Kerberos, a lost cause.
> It's still a good security practice to avoid running any other services
> on a KDC host though.
Yeah, that plus the use of Kerberos for authentication anyway is why I've
not only never seen any point in running production KDCs as non-root
users, I've never seen any point in having anyone other than the KDCs
administer the system on which the KDCs run. There's just no realistic
security gain; all these people tend to be able to access each other's
accounts with a modicum of work, so you may as well unify all the
operations so that you can minimize the footprint that way.
--
Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>
|
|
|
0
|
|
|
|
Reply
|
Russ
|
3/2/2011 10:09:40 PM
|
|
|
3 Replies
202 Views
(page loaded in 0.075 seconds)
Similiar Articles: Running Kerberos as a different user than root - comp.protocols ...Hi, We've been running Kerberos for a number of years. We've always run all the processes (including kprop, kadmin, etc) as root. A new group h... Shibboleth IDP and mixed Windows 2003/2008 AD servers - comp ...Running Kerberos as a different user than root - comp.protocols ... Shibboleth IDP and mixed Windows 2003/2008 AD servers - comp ..... which sounds related to, but ... OpenSSH works for root but not for regular users - comp.unix ...Running Kerberos as a different user than root - comp.protocols ... OpenSSH works for root but not for regular users - comp.unix ... Running Kerberos as a different user ... Determine if "this" process is running with administrative ...Running Kerberos as a different user than root - comp.protocols ..... for the KDC to bind > to port 88 before dropping privileges ... Determine if "this" process is ... Setting different path for different users - comp.soft-sys.matlab ...Running Kerberos as a different user than root - comp.protocols ... Setting different path for different users - comp.soft-sys.matlab ..... way to tell matlab: "when user1 ... X11 connection rejected because of wrong authentication - comp.sys ...... or tried to run dtterm as a user other than the ... different default PATH's finding different versions of >xauth? I was running ... my ~/.Xauthority was owned by root.root ... Running multiple programs at once - comp.soft-sys.matlab ...If your answer is that the user will > eventually ... thing would be easier done by setting the root ... that you are trying to write this in, and running a different ... Login as root via Telnet - comp.unix.solaris... login as a regular user and then "su" to root ... the whole O/S rather than have "-s" mean something different ... to my Linux server (running YellowDogLinux) using the root ... ulimit does not work correctly on remote ssh - comp.os.linux.misc ...Are the nodes running from read-only media and ... files, but the '~/' > expands to be root's home, rather than the user. ... GSSAPI / Kerberos ticket authentication issues ... CDE to Java Desktop - comp.unix.solaris... as root, but first create a user ... new user learn. Getting them to have the desktop up and running ... than become so initially frustrated with something so different ... Running Kerberos as a different user than root - comp.protocols ...Hi, We've been running Kerberos for a number of years. We've always run all the processes (including kprop, kadmin, etc) as root. A new group h... Tomcat - User - running tomcat6 under a different user than root ...running tomcat6 under a different user than root (debian). How can I run tomcat under a different user than root (debian e.g.)? -- Christoph P.U.... 7/30/2012 10:47:04 AM
|
Search |
Post Question |
Groups |
Stream |
About |
Register
1 followers. 