We’re going to let the debate over the Back to My Mac “security hole” we discovered simmer for a day or two while we bring up a related and potentially more serious issue. But we won’t be alarmist (yet).

The issue once again has to do with sharing services between two Leopard machines, this time two machines on the same network. The story is a bit of a long one, but the issue ultimately comes down to this:

1. The login process for sharing between two Leopard machines on the same network does not behave the way many people would expect. This new, even if intended, behavior can lead to significant security compromises.
   

Here are a couple examples of the new behavior:

1. • A Leopard machine, with File and Screen Sharing enabled, shows up in the “Shared” portion of the Finder sidebar of another Leopard machine. The user selects that machine, then hits “Connect as...” to log into it. The user enters their login name and password and is connected to that machine’s File Sharing with appropriate rights. So far so good. The user then logs off that machine, or at least thinks they do. However the next time they select it in the sidebar, they’re connected without entering their name and password.
   

2. • The same user selects the same machine and clicks “Share Screen.” They are granted full access to that machine’s Screen Sharing (and hence to the machine itself) without ever being asked for a login name and password.
   

Apple may well tell you that these are both security “features.” And they might well be security features if they’re what people are expecting. But they’re not, so they’re not.

Why does Leopard work this way? And why does the title of this blog entry include dogs as well as cats? The answer to both is Kerberos. Kerberos, in Greek mythology, was the name of the three-headed dog that guarded Hades. In our case, however, Kerberos is the name of an increasingly popular single sign-on authentication system, which Apple has chosen to implement as part of Leopard.

Actually parts of Kerberos have been included in previous versions of Mac OS X, but mainly only used in larger organizations, since a Kerberos server (such as Mac OS X Server) was required. With Leopard, however, each Mac acts as its own Kerberos server.

As mentioned, Kerberos is a single sign-on system. One of its main goals, and perhaps the main reason Apple implemented it, is to enable a user to sign-on (log in) once to “the system” and then be able to access all of the related services for which that user is authorized. In the particular case of Leopard, these services include at least that machine’s File and Screen Sharing if they’re enabled. The user’s Kerberos authorization to use all those services, without needing to re-authenticate, remains in effect for a fairly long period of time, by default 10 hours (which happens to be the approximate length of a workday).

You can probably see how the features of Kerberos are good from an ease-of-use perspective. And even how they’re good, if correctly understood, from a security perspective: only having to log in once means less chance of password disclosure while typing, and there can be fewer passwords to manage in some cases. Moreover, the Kerberos system itself is designed to be particularly good at maintaining and protecting users’ passwords.

The problem is that Apple forgot to tell the rest of us about this new system! OK, yes there is a tech note available. But nowhere in the list of Leopard’s 300+ new features is it mentioned (OK, not nowhere, but only in relation to two specific services not relevant to this discussion). So most of us are not expecting it, or its new behavior, and don’t know how things are supposed to work. That’s where most of the problems come in.

There are lots and lots more details and issues to be discussed here, and they will be. But this entry has gotten quite long, and, as mentioned before, we continue to have products to ship. We’re guessing that some of you are looking for a specific way to address this whole “issue,” so, real briefly: if you want to block Leopard’s Kerberos because you don’t yet understand it, we believe you can simply use a personal firewall to block the Kerberos port (88, for both TCP and UDP). Ironically, Leopard’s built-in firewall does not seem to allow you to do this at all, but that firewall is another issue for another day! For now, we expect you know a company whose firewall should work fine :)