that interop mess: ldap, samba, kerberos

Turbo Fredriksson turbo at bayour.com
Tue Nov 22 04:24:32 EST 2005


Quoting Sam Hartman <hartmans at mit.edu>:

>>>>>> "Turbo" == Turbo Fredriksson <turbo at bayour.com> writes:
>
>
>     Turbo> Since I've separated AUTHENTICATION and AUTHORIZATION,
>     Turbo> there's no need for an LDAP/slapd keytab...
>
> Then you have a security hole.
>
> Take a look at the following text from section 10 of RFc 4120:
>
>    Proper decryption of an KRB_AS_REP message from the KDC is not
>    sufficient for the host to verify the identity of the user; the user
>    and an attacker could cooperate to generate a KRB_AS_REP format
>    message that decrypts properly but is not from the proper KDC.  To
>    authenticate a user logging on to a local system, the credentials
>    obtained in the AS exchange may first be used in a TGS exchange to
>    obtain credentials for a local server.  Those credentials must then
>    be verified by a local server through successful completion of the
>    Client/Server exchange.
>
> In particular just doing a kinit does not actually verify that the
> password is correct; it simply verifies the passwords typed at the
> command line and used by the server claiming to be the KDC are the
> same.  You need a keytab to confirm the KDC is really a KDC.

Eh... What? From what I know, slapd don't have any means of specifying
a keytab so even if you create one, slapd won't use it...

It knows what a srvtab is, but that's for Kerberos IV...


I don't have a clue what you're talking about, but you made me worried :)


More information about the Kerberos mailing list