Solaris 9 latest OEM SSH + pam_krb5.so.1

[Jeffrey Hutzelman]

On Friday, January 19, 2007 04:05:40 PM -0500 Jeff Blaine 
<jblaine at kickflop.net> wrote:

>             Setting this value to  false  leaves
>             the  system  vulnerable  to DNS spoofing attacks.

This somewhat understates the problem, and IMHO doesn't do a very good job 
of describing what is going on here.  Basically, the idea is that if you 
are going to let a user log in by typing his Kerberos password, you want to 
be sure the resulting TGT was issued by a real TGT.  The way you do this is 
by getting a service ticket for some service whose key you know, and 
checking that the ticket is valid.

Setting this option to false disables that check, which means that a user 
can log in by putting a fake KDC on the network typing a username and 
password, and arranging for his fake KDC's response to reach you before the 
real one.  This often isn't very hard, especially if the user has physical 
access to the machine's network connection.

The "DNS spoofing attacks" referred to in the documentation are on the 
lookup of the KDC's address - one way to insert a fake KDC is to convince 
your machine to send its KDC requests to the wrong IP address.  But there 
are plenty of other attacks which do not involve DNS and are often 
available to an attacker trying to log in on the console of a machine.



> 3.  My /etc/krb5/krb5.keytab *does* have (and has always had)
>      entries for both host/test.foo.com at JBTEST and
>      host/192.168.168.100 at JBTEST

Is JBTEST configured as the default realm in krb5.conf?
Do you have a domain_realm section mapping test.foo.com to JBTEST?
Is the krb5.conf file in the right place?


-- Jeff