Bob Dew says:
> What leads you to believe that AFS or DCE relies on a
> one-person/one-machine concept? I can assure you it does not.
> AFS authentication tokens are stored in the kernel of the authenticating
> host, and cache chunks are root-protected on a disk or stored in RAM.
> Neither the tokens nor the cache needs to reside on the local (physical)
> machine. The only user that has access to cached data or stored tokens
> is the root account on the cache manager host.
> True, the host which runs the cache manager needs a protected root
> password, but I wouldn't by any means say that this constitutes
> "complete insecurity" -- it makes the system as secure as the root
> password of the cache manager.
The autenticating host ALSO needs a protected root password, because I
can extract tokens from the kernel and steal them if I have root on
that machine. (Don't claim you can't -- plenty of people will
willingly give you a demonstration if you don't believe it. Systems
are poorly protected against root.)
Given that bugs that allow users to gain root on a machine they can
log into crop up periodically, this means that anyone who uses any
kerberos on any machine with other users on it is potentially open. He
or she is certainly open if anyone knows root on their workstation.