theory behind unique SPNs

Nico Williams nico at cryptonector.com
Fri Apr 24 18:24:48 EDT 2015


On Fri, Apr 24, 2015 at 05:05:32PM -0500, Ben H wrote:
> Nico -  I'm not sure I understand your redirection statement.  Is this from
> a "man-in-the-middle" type perspective?  The fact that each application
> communicates over a specific port would be enough to direct to the correct
> service, no?

Yes.  No; I'm assuming no IPsec or anything else to provide protection
for TCP packets.

For some sets of protocols no redirection attack may be possible, but
ideally the name of the services being different -and their having
different keys- should ensure this for all possible sets of protocols on
a host.

Consider a database server running many users' databases.  Surely you
want each user to have a different service name (and service
credentials) than all the others...

Not only that, to host many per-user services one needs to make key
management easy.  One site I know of uses ${USER}.<server-fqdn> as the
hostnames for per-user services, and they happily let any user get keys
(different from the rest) for HTTP/${USER}.<server-fqdn> at the server's
realm.

Nico
-- 


More information about the Kerberos mailing list