FQDN needed by sasl_gss_client_step or gss_import_name?
Lawrence Greenfield
leg+ at andrew.cmu.edu
Thu May 16 21:32:32 EDT 2002
Date: Thu, 16 May 2002 20:19:14 -0500
From: "Jacques A. Vidrine" <n at nectar.cc>
On Thu, May 16, 2002 at 09:04:00PM -0400, Lawrence Greenfield wrote:
> Hopefully the Kerberos clarifications in the krb-wg will address this
> issue and MIT will change their implementation..
Change it how?
By not using DNS to construct service principals.
Currently, when a request for (say) "ldap at ad.cmu.edu" is made, the MIT
GSS/Kerb implementations performs a forward looku of "ad.cmu.edu" and
then a reverse lookup of the answer (say "fred.ad.cmu.edu") and then
requests a ticket for the service principal "ldap/fred.ad.cmu.edu".
Since DNS is an insecure mechanism (an attacker could substitute
"myevilmachine.cmu.edu" for "fred.ad.cmu.edu" in the DNS response)
this leads to a vulnerability. Microsoft Kerberos implementations
aren't subject to this attack.
Larry
More information about the Kerberos
mailing list