Heimdal 7.3: ext_keytab fails with "Operation requires `get-keys' privilege"

Nico Williams nico at cryptonector.com
Wed Jun 28 17:11:21 CEST 2017

On Wed, Jun 28, 2017 at 07:28:59AM +0200, Lars-Johan Liman wrote:
> All (pun intended!),
> On Mon, Jun 26, 2017 at 11:18:28AM +0200, Andreas Haupt wrote:
> >> Heimdal 7.3 seems to suffer from a bug in privilege checking. A prinicipal
> >> having all rights on the database is unable to extract keytabs:
> nico at cryptonector.com:
> > This is on purpose.
> > We decided that it was never a good idea for "all" to have meant
> > "extract keys", because in general that's not desirable.
> I very seldom raise my voice on this mailing list, but here I must, on
> sheer principal grounds.

I hope you feel welcomed.  Please speak up more often!

> Chosen names must have obvious meanings. To have a status called "all"
> which isn't *ALL* is confusing at best. It will confuse the h-ll out of
> sysadmins over the globe for years to come, wasting time and money for
> no good purpose at all. I would have spent hours upon hours not
> understanding what the problem was, had I run into this trap.
> The "keep it simple" principle and the principle of least surprise are
> two fundamental principles for successful system management.
> Please fix this, either by changing the name "all" to "most" (or
> preferrably to somthing better), or by changing the behaviour to be
> *ALL*. Either is fine, but having "all" not mean *ALL* is not a good way
> forward.

Renaming "all" to "most" would have been a backwards-incompatible change
too.  We chose a different backwards-incompatible change.

Changing the meaning of "all" was a backwards-incompatible change that
we WANTED to make because the previous situation was... not good!  By
making this change we're confronting sites with the underlying problem
that allowing extraction keys from the HDB is NOT a good thing, and
we're letting them choose how to move past this (they have two options).

Since there is a trivial way to get "all" + "get-keys", this change,
though backwards-incompatible, is of rather limited impact.  It is true
that switching to "ext_keytab -r", which is what we want sites to do, is
more difficult and requires careful consideration by them, but again,
you can get the old "all" by granting your admins "all" + "get-keys", so
you're not forced to use "ext_keytab -r".

In general, backwards-compatibility is a high priority.  But security is
a higher priority.  In general, we might remove interfaces and important
behaviors, but we won't break them.  If some interface in Heimdal is
insecure, and no backwards-compatible change can make it secure, then
we're just going to make a backwards-incompatible change.

All in all, we considered this carefully.  It's been discussed
extensively now, and we will make no further changes in this area other
than to improve the error message that users get.  I'm not being
flippant here, and I'm not ignoring your input.  We appreciate that this
change was surprising and caused some pain and we appreciate your input,
and if we reject your proposal in this case, please understand that it's
only after careful consideration.


More information about the Heimdal-discuss mailing list