Why do "strict acceptor checking"?

Ken Hornstein kenh at cmf.nrl.navy.mil
Tue Oct 8 20:33:39 EDT 2024


>>  Also, I guess I find it personally frustating that a
>> practice that has caused me a ton of pain over a few decades is justified
>> by what I would charitably classify as "vague hand-waving".
>
>Me too. We've been recommending calling gss_accept_sec_context with
>GSS_C_NO_CREDENTIAL for a long time, and almost no one does that.  it's
>very annoying.

It's comforting to know that at least I'm not the only old, grizzled Kerberos
user that feels that way.

>>But, fine, let's talk about a specific example.  In the case of sudo,
>> the local hostname is used to build a "host" principal and passed in as
>> the server argument to krb5_verify_init_creds().  If you pass in NULL
>> instead to the server argument, krb5_verify_init_creds() will try
>> every "host" principal in the local keytab until one succeeds.
>
>
>AFAIK, that's a relatively recent feature in the grand scheme of things.

I am chuckling at the realization that "relatively recent" in Kerberos
now means "within the last 12 years" (looks like that code went in to
MIT Kerberos version 1.11).  Now I feel even older.  It seems like the
sudo Kerberos code has been unchanged for even longer.  But even then,
the previous implementation of krb5_verify_init_creds() just did the
same thing that sudo did, so the code in sudo was at best redundant
even when it was written.

>well, the keytab could contain a copy of a key that is known to other
>services or to some user.  even a principal intended to be used only as a
>client could be an issue, if an attacker knows the key and can print valid
>tickets.

I mean, sure, that's possible ... but that could be true for the host
key!

I know that newer versions of MIT Kerberos have the configuration file
entry "ignore_acceptor_hostname" (first appeared in 1.10) which does
resolve these issues, so it's not as big of a deal as it once was.

--Ken


More information about the Kerberos mailing list