Is "SPN advertisement" or well-known SPNs a security hole?

Srinivas Kakde srinivas.kakde at yahoo.com
Mon Jan 14 20:39:04 EST 2008 

Russ,



Thank you for responding.


Russ Allbery wrote:

> If the client trusts the server's assertion of what Kerberos service it

> is, a server with any service principal in either the client's realm or
 a

> realm with which it has cross-realm trust can then pretend to be any

> service without failing mutual authentication.


Is this right?  How does it not fail mutual authentication?


Does not mutual authentication requires exchange of AP-REQ and AP-REP.  How would a malicious service (a service that pretending to be another service in the realm) acquire the session key from the ticket in the AP-REQ (from a client) to produce the EncAPRepPart of the AP-REP unless it has the right key in its keytab?

If a service advertise a service principal name and a client is able to use this name and obtain a valid AP-REQ, I think:

1) KDC/TGS must have an entry for the name (so that clients can obtain a service ticket for the AP-REQ)
2) Service must have the key that matches the name in its keytab (so it can extract session key from the service ticket and produce AP-REQ).

If you can (1) create account on KDC/TGS and (2) create keytab on the service host with the correct key to decrypt service tickets,  you would need to be realm admin.  Therefore not malicious?



----- Original Message ----
From: Russ Allbery <rra at stanford.edu>
To: Srinivas Kakde <srinivas.kakde at yahoo.com>
Cc: kerberos at mit.edu
Sent: Monday, January 14, 2008 3:37:07 PM
Subject: Re: Is "SPN advertisement" or well-known SPNs a security hole?


Srinivas Kakde <srinivas.kakde at yahoo.com> writes:

> There is an old posting to samba-technical
>
> http://lists.samba.org/archive/samba-technical/2007-July/054354.html
>
> This message says: From a security standpoint, allowing the server to
> specify its service principal is a "bad idea".
>
> Why it a bad idea?  

If the client trusts the server's assertion of what Kerberos service it
is, a server with any service principal in either the client's realm or
 a
realm with which it has cross-realm trust can then pretend to be any
service without failing mutual authentication.

-- 
Russ Allbery (rra at stanford.edu)            
 <http://www.eyrie.org/~eagle/>






      ____________________________________________________________________________________
Looking for last minute shopping deals?  
Find them fast with Yahoo! Search.  http://tools.search.yahoo.com/newsearch/category.php?category=shopping

More information about the Kerberos mailing list