Comments on the use of plugins - useof pkinit_kdc_hostname

Douglas E. Engert deengert at anl.gov
Mon Jun 18 10:30:31 EDT 2007 


Sam Hartman wrote:
>>>>>> "Douglas" == Douglas E Engert <deengert at anl.gov> writes:
> 
>     Douglas> The pkinit_kdc_hostname, in effect duplicates, the hostnames
>     Douglas> as used in kdc = or in the DNS SRV records.  We really like to
>     Douglas> use the dns_lookup_kdc=1 option so we don't have to have the names
>     Douglas> of the KDCs in the krb5.conf. Having to add the
>     Douglas> hostnames for pkinit_kdc_hostnames defeats this goal!
> 
>     Douglas> If the concern is that the cert may be valid but not be from
>     Douglas> a KDC, I would hope that some more Windows friendly code
>     Douglas> could be added. It looks like Windows adds the extension
>     Douglas> 1.3.6.1.311.20.2 with a value of DomainController (utf8?) to
>     Douglas> the cert as well as a SAN for DNS. (But windows being windows
>     Douglas> the host part of the DNS name XXXXXX below is in uppercase!)
> 
> No, the issue is that without trusting DNS, you don't know that the
> SRV record returned the right cert. 

This DNS trust issue is the same problem you have without PKINIT,
and is related to IP spoofing, i.e. how does the client know
it is talking to the real KDC?

> You need to have some way to securely map the realm name to the kdcs.

Yes, I see that the Windows KDC cert says it is a domain controller, and
lists it DNS name, but does not list the realm name. The CA is trusted
to have signed the KDC cert, but the cert could have been for a KDC in some
other realm in the AD-forest.

But without PKINIT one should be using the krb5_verify_init_creds to make
sure the client got tickets from the real KDC. I would assume that
krb5_verify_init_creds is still recommended with PKINIT, and it
would catch any  DNS or spoofing attack including a cert from the wrong realm.

What I am saying is having to add pkinit_kdc_hostnames is too much
configuration management in an environment that has lived without
it. I would like to see something else. I would expect eventually the
Microsoft KDCs will have certs with the extensions defined in the PKINIT
RFC.



> 
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the krbdev mailing list