Security pointers about Kerberos5 realms open to a WAN
Daniel Kahn Gillmor
dkg-mit.edu at fifthhorseman.net
Wed Nov 1 17:55:59 EST 2006
Hi kerberos folks--
Could anyone point me to information about the security concerns
involved with opening a krb5 realm to the Internet (or any other
untrusted WAN)?
I've looked in several places, but could only find a couple of remarks
on this list from last year:
http://mailman.mit.edu/pipermail/kerberos/2005-March/007331.html
http://mailman.mit.edu/pipermail/kerberos/2005-March/007332.html
And those dealt with data reliability issues (TCP instead of UDP)
instead of security issues.
i found a 5-year-old thread here:
http://www.sage.org/lists/sage-members-archive/2001/msg00349.html
but it is negative about K4 and fairly vague about kerberos version 5
(and i'm not planning on using K4, even in translation).
I think i understand the basic K5 protocol, but i don't have my head
wrapped around the different possible attack vectors well enough to
know if opening up a KDC to the internet is really asking for trouble
(e.g. how much krb5 traffic needs to be sniffed for an attacker to
compromise a ticket within the ticket's expiration window?).
Has anyone on this list run KDCs that are globally accessible? Do you
have any tricks you'd like to share?
For example:
did you use IP-based blocking on IPs with too many failed
auth requests? if so, did you experience problems with NAT'ed
users locking each other out?
did you tunnel your krb5 traffic inside some other encrypted layer
(e.g. ssl or ssh) to avoid sniffing? Is this even necessary?
Is there some documentation i've missed? Am i crazy for even
considering krb5 on a WAN?
Any advice or pointers would be most appreciated.
Regards,
--dkg
More information about the Kerberos
mailing list