Security pointers about Kerberos5 realms open to a WAN

Christopher D. Clausen cclausen at acm.org
Wed Nov 1 19:19:29 EST 2006


Daniel Kahn Gillmor <dkg-mit.edu at fifthhorseman.net> wrote:
> I think i understand the basic K5 protocol, but i don't have my head
> wrapped around the different possible attack vectors well enough to
> know if opening up a KDC to the internet is really asking for trouble
> (e.g. how much krb5 traffic needs to be sniffed for an attacker to
> compromise a ticket within the ticket's expiration window?).
>
> Has anyone on this list run KDCs that are globally accessible?

Yes.  I would imagine that nearly all sites running globally accessible 
OpenAFS cells would need globally accessible Kerberos realms to actually 
allow users to authenticate.

> did you use IP-based blocking on IPs with too many failed
> auth requests?

No.  The KDC just issues tickets.  There is no way to tell if 
authentication was successful or not (unless you enable pre-auth, which 
you probably should.)  And even if pre-auth is turned on, there isn't 
much point in trying to block certain IPs, as you'll probably just end 
up blocking valid users, as you mention below.

> if so, did you experience problems with NAT'ed
> users locking each other out?

I don't know of an easy way to actually lock out users with standard MIT 
Kerberos.  As mentioned, there is no way to tell if authentication was 
successful or not.  I supose you could read through the KDC logs and 
disable IPs where preauthentication has failed.  But as you mention, 
this will probably just lock out legit users who share the same external 
IPs.

Its more likely that someone is going to attempt attacks SSH or some 
other service that checks Kerberos on the server-side rather than 
Kerberos directly.  The SSH attack will work against nearly all UNIX 
hosts, and the Kerberos attack would need to be specific as well as 
generate lots and lots of logs on the KDC.

Without pre-auth, one could just request a single ticket for any 
principal and then crack it offline.  (I belive john the ripper has 
Kerberos TGT cracking support now, at least for DES tickets.)

> did you tunnel your krb5 traffic inside some other encrypted layer
> (e.g. ssl or ssh) to avoid sniffing?  Is this even necessary?

This is not necessary.  Kerberos was designed to run on top of a 
untrusted network.  That being said, it certainly wouldn't hurt to have 
the Kerberos traffic additionally encrypted, as offline attacks against 
un-preauthenticated TGTs (or even properly preauthenticated TGTs that 
are sent over the network and passively gathered) are more and more 
feasable.

Kerberos does depend upon properly functioning DNS as well.  Its 
possible that a compromised DNS service could do evil things to your 
Kerberos infrastructure.

> Is there some documentation i've missed?

Yes, there would appear so, as some of these questions are answered in 
various online sources in much more detail.

> Am i crazy for even considering krb5 on a WAN?

No, that is the exact situation that Kerberos was designed for.

-----

I'd suggest having a minimum password length of at least 8 and requiring 
at least 2 different character classes in Kerberos passwords.  Using 
longer passwords and more characters classes would of course be better, 
but might annoy some users.  This should make offline cracking harder.

<<CDC
-- 
Christopher D. Clausen
ACM at UIUC SysAdmin 




More information about the Kerberos mailing list