[krbdev.mit.edu #7125] krb5_verify_init_creds should try all host principals in keytab by default
Greg Hudson via RT
rt-comment at krbdev.mit.edu
Thu May 3 15:27:31 EDT 2012
Since 1.10 (r24749, #6887), krb5_verify_init_creds defaults to using the
first principal in the keytab if no principal is specified. The prior
behavior was to use krb5_sname_to_principal with the "host" service.
For two reasons, this new behavior is not ideal. First, if a host changes
names and the new hostname's key is appended to the keytab without
removing the old one, the login system can stop accepting users, which is
a pretty serious consequence of an arguably not-incorrect administration
operation. Second, not all keys in the system keytab necessarily have
host-level privilege; verifying credentials with a key known to some non-
root service could allow that service to conduct a Zanarotti attack on the
login system.
The desired behavior is to try verification with all unique host/*
principals in the keytab.
More information about the krb5-bugs
mailing list