SURVIVOR: krb5 Check Module | |||||||||||||||||||||||||
Dependencies
Arguments
DescriptionThe krb5 module executes the Kerberos V version of kinit in order to verify that the KDC on the host being checked is responding to ticket requests.The keytab file must contain the key for principal. To set this up requires write access to the primary KDC. In this example, the principal test/check.domain.org is written to the keytab /etc/check.keytab: pollerhost# kadmin -p adminprinc kadmin: addprinc -randkey test/check.domain.org kadmin: ktadd -k /etc/check.keytab test/check.domain.org kadmin: quit pollerhost# chown $INSTUSER /etc/check.keytab pollerhost# chmod 400 /etc/check.keytabNote above that the keytab file is made readable only by the user that the scheduler runs as. This may prohibit the command line interface from manually running this check module, if it is run by a user unable to read the keytab. The configuration directory (cfdir) must contain a valid krb5.conf file for each KDC to be tested, named krb5.hostname.conf. The contents of the file must include only hostname as a KDC (in addition to all the other standard definitions). For example, if alice is the primary KDC and bob is the secondary, the following two configuration files would be placed in cfdir: krb5.alice.conf[libdefaults] ticket_lifetime = 600 default_realm = REALM.ORG default_tkt_enctypes = des-cbc-crc default_tgs_enctypes = des-cbc-crc [realms] REALM.ORG = { kdc = alice.realm.org:88 default_domain = realm.org } [domain_realm] .realm.org = REALM.ORG realm.org = REALM.ORG krb5.bob.conf[libdefaults] ticket_lifetime = 600 default_realm = REALM.ORG default_tkt_enctypes = des-cbc-crc default_tgs_enctypes = des-cbc-crc [realms] REALM.ORG = { kdc = bob.realm.org:88 default_domain = realm.org } [domain_realm] .realm.org = REALM.ORG realm.org = REALM.ORGImportant: This module writes temporary files (the credentials obtained in verifying the principal) with predictable names: /tmp/check.krb5.hostname. While this should be no less secure than kinit run by ordinary users, if potentially malicious (or ordinary) users are permitted to login to the scheduler host (which they shouldn't be), it may be possible to set up a race condition or symlink attack to get this module to write the test tickets to a file owned by the malicious or clueless user. While the contents of the file should be harmless (the test principal created above should have no privileges anywhere), the possibility of exploit cannot be ignored completely. Also: This module will not succeed for all KDCs until the addprinc operation performed above on the primary KDC has propagated to all secondary KDCs. Examples
$Date: 2006/11/19 19:11:29 $ $Revision: 0.5 $ |
keywords cfdir keytab principal |