krb5_sname_to_principal or LDAP/SASL/GSSAPI and reverse DNS
John Hascall
john at iastate.edu
Tue Apr 8 17:49:50 EDT 2003
> > I would be interested in hearing more about #3 (how does
> > hostname canonicalization == no security?)
> DNS spoofing. I spoof the PTR lookup to a machine that I own.
> I now act as a Man-in-the-middle.
Ok, client 1.2.3.4 wants to connect to foo.example.com
which is really foo-1 through foo-99 (1.2.1.1 - 99) so
it does an A lookup on foo.example.com and gets back,
say 1.2.1.17 which it then does a pointer lookup on
and instead of getting back (foo-17.example.com) some
DNS trickery occurs and it gets back drevil.example.com
and it acquires tickets for say host/drevil.example.com
and then connects to 1.2.1.17 and it attempts to use
the host/drevil.example.com ticket to authenticate.
This is obviously going to fail, so the attacker must
have to do something more than just fudging the PTR
lookup. One possibility is fudging the A lookup too.
Ok, so now the client is talking to drevil when it
thinks it is talking to one of the foo-cluster (which
is bad enough), but how does drevil authenticate to
foo-17 (as the user on the client) to complete the
man-in-the-middle?
John
More information about the krbdev
mailing list