how to "ban" clients?

Chris Hecker checker at d6.com
Tue Jul 26 09:14:46 EDT 2011 

> I can understand the appeal of doing whatever you can because not all
> bad actors are perfect automatons with unlimited foresight, but it's
> not compelling to me in this case.

I do understand where you're coming from on the system complexity front, 
I really do.  However, the current behavior really does totally violate 
the principal of least surprise in a big way for new kerberos users.

I read a lot about how kerberos works and the philosophy and theory 
behind it before choosing it, and I was comfortable with the idea that 
already-issued tickets are trusted until they expire; that's a 
fundamental part of the model and why it scales.  That makes sense, and 
the engineering reasons behind that are sound, and I'm on board.

However, once somebody does have to go back to talk to the KDC, at that 
point it seems completely clear that -allow_tix should actually not 
allow any more tix.  I mean, really, come on.  :)

I spent a long time trying to figure out what I was doing wrong while I 
was testing this, since it was so clearly not doing the Right Thing.

It seems like there are three hesitations here:

a.  Whether it matters for security.  I would say it does matter, even 
though I understand your point about the bad guys and >0 weaknesses 
below.  However, I think it's pretty clear a little more security is 
better, as long as it doesn't cost too much complexity and performance, 
and it's well documented.  In fact, the very idea that a ticket has a 
lifetime is an argument for incremental security.  You can do damage, 
but not forever.  In this case, you can do damage, but not to any new 
principals.  They seem very similar in philosophy to me.

Also, as far as I can tell from reading the web, Windows AD shuts down 
all tickets for non-cross-realm principals when an account is 
disabled[1].  And finally, it's 100% obviously the more intuitive 
behavior to have the KDC stop issuing tickets, and I think making things 
intuitive where possible is a big win in lots of ways, including security.

b.  Complexity.  I'm about to make the change, and it doesn't look like 
it's going to be more than a few lines of code.  I'm also fixing the 
krb5_db_entry pass-by-value "bug" I mentioned in the private mail 
(because passing a 68 byte structure containing pointers by value gives 
me hives :), but the code for this client check and the aprof bool fetch 
are going to be short and easy to code-review.  Incidentally, I 
implemented and tested the one-line if-statement change to fix the 
-allow_svr u2u thing, and it works.  It fails to issue the ticket if you 
kvno princ, but it will let princ be the u2u server, so that's fixed 
locally and I'll send a patch (I will keep all three patches separate 
for your sanity).

c.  Performance.  I haven't tested this yet, but I am planning on 
writing a load tester for this stuff anyway, and so I'll be able to say 
quantitatively how much impact this has.  However, even if it's a 
significant performance hit, I would say the aprof bool is the right way 
to handle that, letting admins decide to trade off the performance for 
the additional security.  Admins already have some control over your #2 
below, they can trade scalability and convenience and have shorter lived 
tickets.

Obviously all I can do is request the feature, make the argument, and 
provide the patch.  Hopefully the patch will be simple and clear enough, 
and the performance impact low enough, that you'll be convinced!  If 
not, hey, that's the beauty of open-source, I can fix it for me, put the 
patch on my website, and it's just a bit more friction for admins if 
they want the feature.  But, hopefully it'll go into mainline, because 
patch management sucks.  :)

> (Trivia: we used to sort of address (3) by refusing to unwrap
> messages in the GSSAPI krb5 mech after a user's tickets expired.

Hah, in my next batch of spam to the list I was going to ask about 
exactly how that is handled, but I figured I should look at the source 
for mk_safe and mk_priv first to see if they check expirations.  It 
sounds like you're saying they don't.  I was thinking about this and it 
does seem complicated to handle robustly for clients if things just 
start failing and you need to reauth in the middle of communications. 
Some sample code might help people do this right.  I'll ask about the 
best way to handle that in a different thread next week maybe.

Thanks,
Chris

[1]  "When the administrator disables the user account in emea, he or 
she won’t be able to get any more tickets for resources in emea. The 
user will however still be able to get new tickets for resources in the 
asiapac domain—this will be possible as long as the user’s TGT for 
asiapac remains valid. The reason for this is that the DCs in the 
asiapac domain don’t check the user’s account status when they issue 
tickets." 
http://books.google.com/books?id=05xyiZqC8ToC&lpg=PA178&ots=Bx9VV3TWvk&pg=PA178#v=onepage&q&f=false



On 2011/07/26 04:59, ghudson at MIT.EDU wrote:
> Let's try again without the analogies.
>
> It's a reasonable desire to want to flip a switch and make a
> particular user instantly unable to affect your environment.  That's
> the kind of thing you should get from a centrally managed
> authentication system, right?  Unfortunately, there are three holes
> big enough to drive a truck through:
>
>    1. The user can keep requesting service tickets until the user's TGT
>       expires.
>
>    2. The user can keep using service tickets until they expire.
>
>    3. The user can keep using active sessions until the session is
>       invalidated somehow (interrupted connection, restarted client or
>       server).
>
> You're proposing to fix (1), which is the only one of the three which
> can be addressed on the KDC.  This comes at either a performance cost
> (looking up the client every time, if it's a local principal) or a
> complexity cost (adding a configuration variable, and making the TGS
> validation code paths conditional on whether or not we've looked up
> the client).  Certainly, addressing (1) would limit the scope of the
> things a bad actor could do after account closure, but not completely,
> and only if the bad actor didn't anticipate the account closure by
> requesting a bunch of service tickets.
>
>> From an implementor's perspective, it's sometimes better to have a
> simpler system with three weaknesses than a more complicated system
> with two.  An attacker doesn't care about the number of weaknesses as
> long as it's positive.  I can understand the appeal of doing whatever
> you can because not all bad actors are perfect automatons with
> unlimited foresight, but it's not compelling to me in this case.
>
> To actually get rapid-reaction account closure, you need to implement
> a temporary blacklist in the servers--and in your case, possibly also
> in the clients.  I know, that's a huge headache for an application
> developer to have to worry about.  But I don't think there's a
> comprehensive substitute at the Kerberos level.
>
> (Trivia: we used to sort of address (3) by refusing to unwrap messages
> in the GSSAPI krb5 mech after a user's tickets expired.  That at least
> puts a time bound on how long the user can affect services, for
> applications using GSSAPI wrap and unwrap.  We had to turn this off
> because it was too disruptive to existing applications, which were
> generally not written by security people.  Also, there are a lot of
> applications like ssh which don't use GSSAPI wrap and unwrap, so it
> wasn't really solving the problem.)
>

More information about the Kerberos mailing list