clock skew and preauth
Greg Hudson
ghudson at MIT.EDU
Wed Mar 21 00:29:08 EDT 2012
On 03/21/2012 12:17 AM, Nico Williams wrote:
> On Tue, Mar 20, 2012 at 9:23 PM, Greg Hudson <ghudson at mit.edu> wrote:
>> krb5_init_creds_get_error and krb5_set_real_time(), but given what I
>> know about your deployment, it's probably easier to modify get_in_tkt.c
>> to set the offsets when a preauth-required error is received.
>
> Is there any reason that there couldn't be a built-in option to just do that?
Well, before we go creating an option which is very difficult to
describe to non-experts, it's worth considering whether it can just be
folded into kdc_timesync (which defaults to true).
The major worry is that the time in a krb-error message is not
authenticated to the client as being from the KDC (well, it may be, if
there's a FAST channel, but it isn't necessarily). So an attacker can
modify the reply to fool the client into using a different clock value
at least for the purposes of the preauth request. As noted in RFC 6113,
"an attacker may trick the client into producing an authentication
request that is valid at some future time. The attacker may be able to
use this authentication request to make it appear that a client has
authenticated at that future time."
Although the attacker wouldn't be able to decrypt the resulting tickets,
such an attack can still have an impact on (1) the KDC's accounting
logs, and (2) the KDC's account lockout counters. However, an attacker
who can carry out this attack is also in a position to conduct an
offline dictionary attack against the user's password, so (2) isn't of
any additional value.
More information about the Kerberos
mailing list