Is "SPN advertisement" or well-known SPNs a security hole?

[Russ Allbery]

Srinivas Kakde <srinivas.kakde at yahoo.com> writes:

> Is this right?  How does it not fail mutual authentication?
>
> Does not mutual authentication requires exchange of AP-REQ and AP-REP.
> How would a malicious service (a service that pretending to be another
> service in the realm) acquire the session key from the ticket in the
> AP-REQ (from a client) to produce the EncAPRepPart of the AP-REP unless
> it has the right key in its keytab?

It tells the client to authenticate to a principal that's under the
control of the attacker.  The client then obtains a valid Kerberos
authenticator for a principal that has nothing to do with the site that
the client was intending to connect to, but which the attacker has the key
for.  If the client accepts the server's word for what the principal
should be, there's no way to prevent this.

> If a service advertise a service principal name and a client is able to
> use this name and obtain a valid AP-REQ, I think:
>
> 1) KDC/TGS must have an entry for the name (so that clients can obtain a
> service ticket for the AP-REQ)
>
> 2) Service must have the key that matches the name in its keytab (so it
> can extract session key from the service ticket and produce AP-REQ).
>
> If you can (1) create account on KDC/TGS and (2) create keytab on the
> service host with the correct key to decrypt service tickets, you would
> need to be realm admin.  Therefore not malicious?

Why would you need to be realm admin to have an entry in the KDC?  Every
single user at Stanford has an entry in the KDC for their own individual
account, for example, which they could use to spoof any service at
Stanford under this authentication model.

Leaving aside cross-realm trust.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>