PROJECTS: Kerberos Research - Limitations of Kerberos

Page last modified Mon Jan 6 13:51:03 2003

While Kerberos provides some excellent features for securing workstations in a networked environment, it does have some limitations that you should be aware of.

Kerberos is an all-or-nothing approach

Every service enabled on the network must be modified to work with Kerberos (or be otehrwise secured against network attacks) or else the users credentials could be stolen and re-used on the Kerberized services.

Kerberos is intended for single-user workstations

In a multi-user environment, Kerberos is less secure. This is because it stores the tickets in the /tmp directory, which is readable by all users. If a user is sharing a computer with several other people simultaneously (i.e. multi-user), it is possible that the user's tickets can be stolen (copied) by another user.

This can be overwritten with the -c filename command-line option to or (preferably) the KRB5CCNAME environment variable, but this is rarely done.

The KDC is a signle point of security failure

By design, the KDC must be secure as the master password database is contained on it. The KDC should have absolutely no other services running on it and should be physically secured. The danger is high because Kerberos stores all passwords encrypted with the same key (the ``master'' key), which in turn is stored as a file on the KDC.

As a side note, a compromised master key isn't quite as bad as one might normally fear. The master key is only used to encrypt the Kerberos database and as a seed for the random number generator. As long as access to your KDC is secure, an attacker can't do much with the master key.

Additionally, if the KDC is unavailable (perhaps due to a denial of service attack or network problems), the network services are unusable as authentication can not be performed. This can alleviated with multiple KDCs (a single master and one or more slaves) and with careful implementation of secondary authentication (PAM is excellent for this).

Kerberos doesn't explicitly protect against Trojan attacks

Kerberos allows users, hosts and services to authenticate between themselves. It does not have a mechanism for authenticated the KDC to the users, hosts or services. This means that a trojaned kinit (for example) could record all user names and passwords. Something like Tripwire or other filesystem integrity checking tools can alleviate this.



Title Image - left

Recent blog entries

Categories:

General (13)
Hardware (2)
MetaNetwork (9)
Organizations (4)
Security (3)
SeekingFire Meta (10)
Unix (2)

Subscribe: RSS/Atom

© 2002-2005 Tillman Hodgson, security consultant.
(Copyright Details)

Hacker glider emblem