Ubuntu Server Guide

Kerberos server guide: Do not use kerberos_example in documentation

Bug #1866839 reported by Claudio Kuenzler
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Ubuntu Server Guide
Status tracked in Bionic
Bionic
Confirmed
Undecided
Unassigned

Bug Description

On the official and up to date Kerberos server guide page (https://help.ubuntu.com/lts/serverguide/kerberos.html), the last section uses the following command snippet:

sudo auth-client-config -a -p kerberos_example

Using this kerberos_example is a very bad idea as it will allow any local user to become root without additional authentication!

This should definitely be changed to something secure, as a lot of people (unfortunately) follow such guides in a blind manner.

For more information, see
- https://www.claudiokuenzler.com/blog/874/local-users-becoming-root-using-su-without-password-authentication-wrong-config
- https://bugs.launchpad.net/ubuntu/+source/auth-client-config/+bug/526999.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Thanks for filing this bug. I'm in the process of rewriting/checking the guides, and kerberos is in the list. I added this bug to my list of things to check.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

This doesn't affect focal, since auth-client-config isn't in the archive anymore. But the docs should be clarified for bionic.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

I updated the guide at https://discourse.ubuntu.com/t/service-kerberos/11331

That chapter has a section on client authentication which I also updated.

Revision history for this message
Doug Smythies (dsmythies) wrote :

Why did you set this to "fix released" for bionic? It hasn't been fixed.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.