Question about dns_lookup_realm and domain_realm
Ken Raeburn
raeburn at MIT.EDU
Fri Jun 27 11:32:28 EDT 2008
On Jun 27, 2008, at 11:17, Simo Sorce wrote:
> this statements is interesting, how are TXT records "insecure" ?
If a forged TXT RR is received, the client may be told the server is
in a different realm. That realm may have been compromised by an
attacker, and cross-realm authentication to it may be possible
(especially if and when we get something PKINIT-like deployed). So
the client can "successfully" authenticate to host/server.foo.com at BLACK-HATS.TLD
, and never know that that's not the principal it should be
authenticating to for server.foo.com.
> Isn't "validation" all about verifying the KDC is one we can really
> trust by using a trusted secret ?
Cross-realm authentication and the possibility of compromised
"neighbor" realms makes it much more complicated.
> How is local configuration data trustworthy given that to resolve
> names
> to IPs we still rely on DNS ?
Trusting address records from DNS, but not trusting DNS at all for
authentication purposes, would mean the attacker could get the client
to connect to server.black-hats.tld, but it would try authenticating
to the originally intended service principal; since the black hats
don't have the service key, it would fail, and the client should
disconnect. It's a denial of service, but not a transparent spoofing
of the service.
> Do we have information on which clients support referrals ?
Current Microsoft and MIT clients do, I wouldn't be surprised if
Heimdal does as well.
> And are they implemented in MIT KDC (and how) ?
Not yet. A basic implementation (using the domain_realm mapping from
the KDC's config files) is currently on my plate.
Ken
More information about the Kerberos
mailing list