krb5_rd_cred checks IP address.
Booker C. Bense
bbense at networking.stanford.edu
Fri Feb 8 11:16:01 EST 2002
On Thu, 7 Feb 2002, Sam Hartman wrote:
> amu recently filed a Debian bug against my ssh-krb5 package
> complaining that when he forwarded addressless tickets from behind a
> NAT using ssh protocol version 1 to a new server, it didn't work. It
> turns out all of those qualifiers are necessary to reproduce the bug;
> change one and it works fine. Well, OK, if you get addressful tickets
> behind a NAT, it fails much earlier
> Here's the problem. Our implementation of krb5_rd_cread checks the
> source address to make sure it matches the source address in the
> KRB-CRED structure. It turns out it only does this if the krb-cred
> structure is encrypted. It turns out that you'll only encrypt the
> structure under the ssh v1 forwarding mechanism when a new client
> talks to a new server.
> I'm not really sure what good this check does other than to screw over
> NAT users. Even if we pretend that we actually still care about IP
> address authentication what is the harm of accepting tickets from
> someone provided that they work?
- I can't see one. The whole rational for the IP check is to make
replay attacks harder, but I don't grok how that would even apply
in this situation.
> I'm really not sure how to go about fixing this problem. I could see
> solving in several ways and am not sure which one the community
> prefers. Do we remove the check on the source address?
- I would vote for this option. The IP checks have always seemed to
me to be the wrong solution to replay attacks, it doesn't really
solve the problem. A session key cache does.
- Booker C. Bense
More information about the krbdev