What are the issues with dns_lookup_realm ?

Greg Hudson ghudson at MIT.EDU
Mon Oct 4 12:57:17 EDT 2010


On Mon, 2010-10-04 at 07:01 -0400, Brian Candler wrote:
> (1) What DNS lookups are made by the workstation and/or the server when a
> connection takes place?

pc.foo.example.com looks up a TXT record for
_kerberos.server.bar.example.com.

> (2) Could any of the DNS responses take precedence over the default_realm
> specified in the config file for either the client or the server? (*)

Yes.  The precedence order of domain-relam mappings is:

  1. krb5.conf domain_realms
  2. KDC referrals
  3. DNS TXT lookups, if turned on
  4. The domain heuristic, if turned on
  5. The upper-cased parent realm of the hostname
  6. The default realm, if the hostname has no parent realm

So the default realm is actually not used in very many cases.

The "domain heuristic" is configured by setting [libdefaults]
realm_try_domains = N for some integer N, and involves trying to resolve
the hostname and N realm ancestors of it as Kerberos realms.

> (3) What's the worst that could happen if someone managed to insert a
> spoofed TXT record in one of the responses?

By spoofing a TXT reply, someone could cause you to use
host/server.bar.example.com at ATTACKER-REALM service tickets instead of
the correct tickets.  The attacker will presumably also spoof the IP
address of the server.  The client then successfully mutually
authenticates to the wrong host, and perhaps forwards credentials there
or enters a password, compromising the user's account.

For this attack to succeed, ATTACKER-REALM needs to be a realm which the
client can perform cross-realm authentication to.

If the domain heuristic is used instead of TXT records, there is the
potential for a similar attack if DNS lookups are enabled for KDC
resolution (which is the default), but the attack is limited to
ATTACKER-REALM values equal to ancestor domains of the server hostname.

> (4) Kerberos also relies on reverse DNS to map IP address to hostname (and
> hence to realm, either by domain_realm rules or by another DNS lookup). Are
> the security issues with dns_lookup_realm any more severe than those already
> inherent in IP to hostname lookups?

The issues are not substantially different, no.  We'd like to get away
from DNS canonicalization and have some plans to do so (basically, a KDC
configuration option determined at initial authentication time which
means "rely on KDC referrals instead of host canonicalization").

> (*) The documentation for default_realm is unclear. It says:
> 
> "If this is not specified and the TXT record lookup is enabled (see Using
> DNS), then that information will be used to determine the default realm"
> 
> which implies to me that the TXT record *won't* be looked up if you define
> default_realm, even if dns_lookup_realm is true.

The misunderstanding here is that "the default realm" is not the default
for host-to-realm mappings.  It's the default for parsing principal
names which don't contain realms--for example, if you "kinit bcandler"
instead of "kinit bcandler at EXAMPLE.COM".

The documentation is saying that you can use TXT records to determine
the default realm instead of configuring it explicitly on each client.
Of course, that allows an attacker to control a client's default realm,
which has some security implications (although fewer than you'd think,
since initial authentications won't succeed if you don't know a user's
password).





More information about the Kerberos mailing list