[Beowulf] Newbie

Leif Nixon nixon at nsc.liu.se
Fri Jan 6 13:28:45 EST 2006


"Robert G. Brown" <rgb at phy.duke.edu> writes:

> On Thu, 5 Jan 2006, Leif Nixon wrote:
>
>>> However, if any account is compromised by any means whatsoever, you're
>>> equally screwed regardless of how you authenticate at the shell level.
>>
>> Kerberos-style security can give you a certain level of extra
>> protection, depending on the circumstances, so there *are* different
>> shades of screwedness.
>
> ???
>
> Teach me this.

For one thing: If your home directories are on a kerberized file
system, a bad guy getting root on single client does not immediately
have rw access to all your users' files.

Contrast this to the vanilla NFS/ssh case, where a root compromise on
a client is enough to gain access to every user account on every
client machine within the NFS domain. (su $LUSER "echo \"$MYKEY\" >> ~/.ssh/authorized_keys")

This may be just enough of an advantage that you can arrive on Monday morning
and find just one or two compromised machines, instead of an entire department's
worth of trojanned and root-kitted machines.

> That is (rant aside:-), if things are set up so that a user on system A
> has login privileges on system B, AFAIK a compromised shell (on A) under
> kerberos provides a clever cracker with access to the user's kinit
> password, and hence ability to obtain kerberos credentials and a shell,
> on system B.  So it is just as vulnerable to password TRAPS

Indeed. But there are other avenues of attack.

> The moral of this particular story is that you can never be quite
> CERTAIN that your system(s) haven't already been cracked, even if you
> are very good, unless you REALLY work at it.

Not even then, unless you know for sure that there are no potential
attackers in the whole world that are smarter than you.

-- 
Leif Nixon                       -            Systems expert
------------------------------------------------------------
National Supercomputer Centre    -      Linkoping University
------------------------------------------------------------
_______________________________________________
Beowulf mailing list, Beowulf at beowulf.org
To change your subscription (digest mode or unsubscribe) visit http://www.beowulf.org/mailman/listinfo/beowulf



More information about the Beowulf mailing list