rdns, past and future
Ken Dreyer
ktdreyer at ktdreyer.com
Wed May 27 13:59:46 EDT 2020
On Tue, May 26, 2020 at 4:59 PM Jeffrey Altman
<jaltman at secure-endpoints.com> wrote:
>
> On 5/26/2020 6:31 PM, Ken Dreyer wrote:
> > On Tue, May 26, 2020 at 3:58 PM Jeffrey Altman
> > <jaltman at secure-endpoints.com> wrote:
> >>
> >> 2. Before the existence of DNS SRV records, CNAME records were the
> >> only method of offering a service on multiple hosts. However,
> >> its a poor idea to share the same key across all of the hosts.
> >
> > I'm curious about this. What makes it a poor idea?
> >
> > It seems like a very convenient way to scale a service up and down
> > dynamically quickly when you share a key among all instances.
>
> Because if you hack into one of the hosts you now have the key for all
> of the hosts. The holder of the key can forge tickets for any user.
This is true only if the administrator has enabled constrained
delegation for that key (eg. ok_to_auth_as_delegate) right? Is there
some other scenario I'm missing?
> Since the key isn't unique the entire distributed service has to be
> shutdown to address the vulnerability.
Ok, that makes sense. I was thinking of a homogeneous environment
where each app server runs the exact same versions of code, so an
attacker entry through a vulnerability on one system means that all
systems almost certainly have the same vulnerability.
> It is also much harder to trace where the key was stolen from.
Yeah, that's fair.
- Ken
More information about the Kerberos
mailing list