Preventing an attacker to steal credential and to compromise a whole kerberized network?

Nico Williams nico at cryptonector.com
Tue Oct 11 15:35:26 EDT 2011


On Tue, Oct 11, 2011 at 1:07 PM, Mike Spinzer <mspinzer at yahoo.com> wrote:
> Thanks a lot for all your answers. Trying to limit the attack on the server itself seems to me difficult since by definition we consider that the server is owned by the attacker.
> I was wondering if it would not be possible to instead put some restrictions on the ticket itself. For instance by including the IP address where it's valid.

IP addresses in tickets don't really buy you anything, as it's may not
be difficult to forge a source IP address in your environment.

Better to not forward credentials.  Credential forwarding is a bad habit.

> More generally, is there any way to include some roles into a ticket, for instance to indicate that it can be used to authenticate locally with ksu but not to open a remote SSH to another server?

The only currently available constrained ticket facility that we have
is S4U2Proxy, really.

I'd be interested in a "GSS agent" extension to the ssh-agent, so that
all server-side uses of the GSS initiator credential are proxied back
to the client.  But you can't expect the user to approve of every
use...  at best the user could have some rules to apply to credential
uses.

In any case, in your use case the solution is to have all connections
emanate from the same client, as opposed to chaining across one or
more servers.

Nico
--



More information about the Kerberos mailing list