Top Document: Kerberos FAQ, v2.0 (last modified 8/18/2000) Previous Document: 2.12. We run AFS at our site currently. Is there a way we can run Kerberos along with AFS? Next Document: 2.14. How should I configure my DNS for Kerberos? See reader questions & answers on this topic! - Help others by sharing your knowledge If a person had root on your KDC, then they had the ability to grab a copy of your entire Kerberos database. While the database is encrypted with the master key, a root user could have read the master key out of the stash file, or even attached a debugger to the KDC process to read the master key out of the KDC's memory. So, this now becomes a question of what to do when every key in your database is compromised. When a user's key is compromised, the attacker can impersonate that user. If a host key is compromised, then an attacker could generate forged service tickets for that host with any user in the ticket. However, the worst key to get compromised is the krbtgt key, as an attacker could use this to generate a valid TGT for any principal in your realm! The steps you should take depend on the exact circumstances of the incident and your local site policy. However, it's important to keep in mind that the worst-case scenario is that your realm would need to be completely re-keyed. If I personally was responsible for our KDC and this situation happened to me (a person who had root on our KDC left under questionable circumstances), I would immediately change the key for the krbtgt and the admin principals, and force a global user password change over some period of time (assuming we weren't expiring passwords at this point). As a side note, a compromised master key isn't quite as bad as one would normally fear. The master key is only used to encrypt the Kerberos database and as a seed for the random number generator. As long as access to your KDC is secure, an attacker can't do much with the master key. User Contributions:Top Document: Kerberos FAQ, v2.0 (last modified 8/18/2000) Previous Document: 2.12. We run AFS at our site currently. Is there a way we can run Kerberos along with AFS? Next Document: 2.14. How should I configure my DNS for Kerberos? Single Page [ Usenet FAQs | Web FAQs | Documents | RFC Index ] Send corrections/additions to the FAQ Maintainer: Ken Hornstein <kenh@cmf.nrl.navy.mil>
Last Update March 27 2014 @ 02:11 PM
|
Comment about this article, ask questions, or add new information about this topic: