Search the FAQ Archives

3 - A - B - C - D - E - F - G - H - I - J - K - L - M
N - O - P - Q - R - S - T - U - V - W - X - Y - Z
faqs.org - Internet FAQ Archives

Kerberos FAQ, v2.0 (last modified 8/18/2000)
Section - 2.13. Employee just left the company, and he had root on our KDC. What should I do?

( Single Page )
[ Usenet FAQs | Web FAQs | Documents | RFC Index | Property taxes ]


Top Document: Kerberos FAQ, v2.0 (last modified 8/18/2000)
Previous Document: 2.12. We run AFS at our site currently. Is there a way we can run Kerberos along with AFS?
Next Document: 2.14. How should I configure my DNS for Kerberos?
See reader questions & answers on this topic! - Help others by sharing your knowledge

If a person had root on your KDC, then they had the ability to grab a copy
of your entire Kerberos database. While the database is encrypted with the
master key, a root user could have read the master key out of the stash
file, or even attached a debugger to the KDC process to read the master key
out of the KDC's memory.

So, this now becomes a question of what to do when every key in your
database is compromised.

When a user's key is compromised, the attacker can impersonate that user.

If a host key is compromised, then an attacker could generate forged service
tickets for that host with any user in the ticket.

However, the worst key to get compromised is the krbtgt key, as an attacker
could use this to generate a valid TGT for any principal in your realm!

The steps you should take depend on the exact circumstances of the incident
and your local site policy. However, it's important to keep in mind that the
worst-case scenario is that your realm would need to be completely re-keyed.

If I personally was responsible for our KDC and this situation happened to
me (a person who had root on our KDC left under questionable circumstances),
I would immediately change the key for the krbtgt and the admin principals,
and force a global user password change over some period of time (assuming
we weren't expiring passwords at this point).

As a side note, a compromised master key isn't quite as bad as one would
normally fear. The master key is only used to encrypt the Kerberos database
and as a seed for the random number generator. As long as access to your KDC
is secure, an attacker can't do much with the master key.

User Contributions:

Comment about this article, ask questions, or add new information about this topic:

CAPTCHA




Top Document: Kerberos FAQ, v2.0 (last modified 8/18/2000)
Previous Document: 2.12. We run AFS at our site currently. Is there a way we can run Kerberos along with AFS?
Next Document: 2.14. How should I configure my DNS for Kerberos?

Single Page

[ Usenet FAQs | Web FAQs | Documents | RFC Index ]

Send corrections/additions to the FAQ Maintainer:
Ken Hornstein <kenh@cmf.nrl.navy.mil>





Last Update March 27 2014 @ 02:11 PM