krb5_sname_to_principal or LDAP/SASL/GSSAPI and reverse DNS

Derek Atkins warlord at MIT.EDU
Tue Apr 8 18:02:34 EDT 2003

John Hascall <john at> writes:

> > > I would be interested in hearing more about #3 (how does
> > > hostname canonicalization == no security?)
> > DNS spoofing.  I spoof the PTR lookup to a machine that I own.
> > I now act as a Man-in-the-middle.
>     Ok, client wants to connect to
>     which is really foo-1 through foo-99 ( - 99) so
>     it does an A lookup on and gets back,
>     say which it then does a pointer lookup on
>     and instead of getting back ( some
>     DNS trickery occurs and it gets back
>     and it acquires tickets for say host/
>     and then connects to and it attempts to use
>     the host/ ticket to authenticate.
>     This is obviously going to fail, so the attacker must
>     have to do something more than just fudging the PTR
>     lookup.  One possibility is fudging the A lookup too.
>     Ok, so now the client is talking to drevil when it
>     thinks it is talking to one of the foo-cluster (which
>     is bad enough), but how does drevil authenticate to
>     foo-17 (as the user on the client) to complete the
>     man-in-the-middle?

Well, it depends on the protocol in use, doesn't it?  If the protocol
is a printing protocol, I can get you to print that confidential
document on my printer instead of yours.  If it's a login session, I
might be able to get you to type your password into my (hacked) login
program....  Besides, who said the connection from drevil to the real
server had to be protected/authenticated?

> John


       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL:    PP-ASEL-IA     N1NWH
       warlord at MIT.EDU                        PGP key available

More information about the krbdev mailing list