Is "SPN advertisement" or well-known SPNs a security hole?
Russ Allbery
rra at stanford.edu
Mon Jan 14 17:37:07 EST 2008
Srinivas Kakde <srinivas.kakde at yahoo.com> writes:
> There is an old posting to samba-technical
>
> http://lists.samba.org/archive/samba-technical/2007-July/054354.html
>
> This message says: From a security standpoint, allowing the server to
> specify its service principal is a "bad idea".
>
> Why it a bad idea?
If the client trusts the server's assertion of what Kerberos service it
is, a server with any service principal in either the client's realm or a
realm with which it has cross-realm trust can then pretend to be any
service without failing mutual authentication.
--
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the Kerberos
mailing list