_______________________________________________Hi Spike,The KCM module mentioned in article was introduced in SSSD 1.15.3 [1]Latest RHEL7 version is 7.9 with SSSD 1.16.5Latest RHEL8 version is 8.3.0 with SSSD 2.3.0Last RHEL7 version without KCM module implemented in SSSD was RHEL 7.3 with SSSD 1.14RHEL8 uses KCM by default, where RHEL7 is using KEYRING by default.For more information about KCM in SSSD you can check KCM design documents [2].Quoting the linked article:"With the right Kerberos tickets, it is possible to move laterally to the rest of the Active Directory domain.If a privileged user authenticates to a compromised Linux system (such as a Domain Admin) and leavesa ticket behind, it would be possible to steal that user's ticket and obtain privileged rights in the Active Directory domain."I would say that no matter if KCM is used or not, if the attacker has root access to the machine which is part of the domainthis is already a security concern. Using tools described in article it is possible to decrypt KCM disk cache and extractaccess tokens. If a privileged user will authenticate on a machine controlled by the attacker his access tokens will be stolen.Restrictive access policies inside the domain can make reusing those stolen tokens harder for attacker.Best regards,PawelOn Sat, Mar 20, 2021 at 4:06 AM Spike White <spikewhitetx@gmail.com> wrote:All,_______________________________________________https://www.fireeye.com/blog/threat-research/2020/04/kerberos-tickets-on-linux-red-teams.html
Is this a security concern for the sssd version on RHEL7 & 8? I.e., if a hacker acquires root on one low-value asset, can move laterally to more high-value assets?
Spike White
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
--
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure