theory behind unique SPNs

[Simo Sorce]

On Fri, 2015-04-24 at 16:46 -0400, Greg Hudson wrote:
> On 04/24/2015 03:37 PM, Ben H wrote:
> > Why not simply use host/serverA.domain.com for both services?
> 
> At a protocol level, it's to support privilege separation on the server.
>  The CIFS server doesn't need access to the LDAP server key and vice versa.
> 
> Of course you only get this benefit if (a) the two services use
> different keys, and (b) the two service implementations are sufficiently
> isolated on the server host.  In a normal AD deployment (as I understand
> it) the first constraint isn't true, but the client shouldn't assume that.

I would make it clear that key separation is used to avoid privilege
escalation attacks.
A service with access to the key can fabricate a ticket that will be
seen by the the target service as perfectly valid and the contents can
be arbitrary.

If the HTTP service is compromised and it uses the same key as the host/
service then the attacker can fabricate a ticket for host/ where the
client principal has an arbitrary name, like root at REALM.EXAMPLE.COM,
then use this ticket to log in via SSH and be root.

The reason why Active Directory uses a single key is that it assumes the
client employs privilege separation techniques, where services do not
have direct access to the machine keys but rather use system provided
services (via SSPI) to accept and validate connections.

We've been working to allow Linux/Unix machines to do the same with the
GSS-Proxy project, where keys can be segregated from the application.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York