Implementing IETF Draft on DNS use in Kerberos

[Will Fiveash]

On Thu, Jul 18, 2002 at 07:37:55PM -0400, Derek Atkins wrote:
> Will Fiveash <william.fiveash at sun.com> writes:
> 
> > I thought that the receipt of a valid TGT was proof for the client
> > that it was dealing with a trusted KDC and thus the local realm lookup
> > was valid.  If this is true, then it doesn't seem necessary to get a
> > service ticket in order to validate the local realm lookup.  (I should
> > point out that by client I mean client principal with an entry in the
> > KDC's princ db.)
> 
> Receipt of the TGT only proves that the user knew the correct
> password to decrypt the krb5 packet received from the network.
> It says nothing about whether that is a "proper" TGT.  I could
> generate an 'AS_REP" message on my own with a password that I
> know, and send it in response to AS_REQ messages of my own
> choosing.
> 
> The login host should _use_ that TGT to obtain a service ticket
> for itself in order to verify the TGT is a "real" TGT and not
> a fake TGT as described above.

In fact this is what Solaris pam_krb5 does which makes sense in light
of this discussion.  It seems to me that using DNS lookups for local
realm and KDC are okay as long as the local systems authenticate TGTs
with service tickets.  If a system assumes that possession of a TGT
implies authentication then that system has a fundamental security
problem.  Even if the local realm and KDC hostname are specified in
the krb5.conf file, the IP address of the KDC can be spoofed (as Sam
noted in an off-list discussion) so the host can't really just trust a
TGT.

> -derek
> -- 
>        Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
>        Member, MIT Student Information Processing Board  (SIPB)
>        URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
>        warlord at MIT.EDU                        PGP key available

-- 
Will Fiveash
Sun Microsystems Inc.
Austin, TX, USA (TZ=CST6CDT)