Solaris 9 latest OEM SSH + pam_krb5.so.1

[Jeff Blaine]

Jeffrey Hutzelman wrote:
> On Friday, January 19, 2007 04:05:40 PM -0500 Jeff Blaine 
> <jblaine at kickflop.net> wrote:
> 
>>             Setting this value to  false  leaves
>>             the  system  vulnerable  to DNS spoofing attacks.
> 
> This somewhat understates the problem, and IMHO doesn't do a very good 
> job of describing what is going on here.  Basically, the idea is that if 
> you are going to let a user log in by typing his Kerberos password, you 
> want to be sure the resulting TGT was issued by a real TGT.  The way you 
> do this is by getting a service ticket for some service whose key you 
> know, and checking that the ticket is valid.
> 
> Setting this option to false disables that check, which means that a 
> user can log in by putting a fake KDC on the network typing a username 
> and password, and arranging for his fake KDC's response to reach you 
> before the real one.  This often isn't very hard, especially if the user 
> has physical access to the machine's network connection.
> 
> The "DNS spoofing attacks" referred to in the documentation are on the 
> lookup of the KDC's address - one way to insert a fake KDC is to 
> convince your machine to send its KDC requests to the wrong IP address.  
> But there are plenty of other attacks which do not involve DNS and are 
> often available to an attacker trying to log in on the console of a 
> machine.

Thanks for the more detailed explanation.

>> 3.  My /etc/krb5/krb5.keytab *does* have (and has always had)
>>      entries for both host/test.foo.com at JBTEST and
>>      host/192.168.168.100 at JBTEST
> 
> Is JBTEST configured as the default realm in krb5.conf?
> Do you have a domain_realm section mapping test.foo.com to JBTEST?
> Is the krb5.conf file in the right place?

Yup
Yup
Yup