Re: NFS Security Question

From: Ryan Russell (ryan@securityfocus.com)
Date: 08/15/01


Date: Tue, 14 Aug 2001 19:46:19 -0600 (MDT)
From: Ryan Russell <ryan@securityfocus.com>
To: Darren Moffat <Darren.Moffat@eng.sun.com>
Subject: Re: NFS Security Question
Message-ID: <Pine.GSO.4.30.0108141942580.19939-100000@mail>

On Tue, 14 Aug 2001, Darren Moffat wrote:

> But if you have that level of access to the machine and can convince Bob
> to login to it it would be much easier just to install a fake login
> program and capture his password and then do the dirty deed on his own
> machine when he has left his office (or remotely).

Well, I thought of that... but that's the point of Kerberos, right? Even
if my machine is participating as a Kerberos client for allowing other
people to log in, I can't steal anything that gives me a long-term ability
to pretend to be Bob. And hopefully, the item that is presented to my
machine when Bob comes on should be of limited usefulness, and wouldn't
allow me to do everything Bob could normally do while that ticket was
good?

                                Ryan