[Freeipa-users] local root can su to any IPA user
Jakub Hrozek
jhrozek at redhat.com
Thu Feb 27 23:06:25 UTC 2014
On Thu, Feb 27, 2014 at 10:36:01PM +0000, Nordgren, Bryce L -FS wrote:
>
>
> > But I
> > would argue that in this case root can just add some other module to the
> > pam stack that would dump passwords for any user who uses pam stack
> > regardless whether SSSD is in the picture or not so it is not SSSD problem and
> > I do not think it can be generally solved with the software. It is the point
> > where you cross the line into physical security and organization's security and
> > trust policies.
>
> In a Kerberos/IdM/AD environment, the password isn't available except at
> initial sign on. If I sign on using my machine, then ssh to user Evil's
> machine, the worst user Evil can do is steal my TGT, which has a much
> shorter life than a password. If Evil is quick, he can get at my files on
> the main server. But I never give my password to user Evil in this situation,
> and user Evil is not an admin on my box, where he can affect the pam stack.
>
Assuming you're using the TGT (acquired on your machine) to SSH to Evil,
it's still the same case and the SSSD is not even involved.
If you're typing your Kerberos password to a machine controlled by
Evil, you have problems :-) But that's true with or without SSSD.
More information about the Freeipa-users
mailing list