Behavior change of krb5_rd_req: what error to return
Sam Hartman
hartmans at painless-security.com
Thu Dec 4 07:37:43 EST 2008
>>>>> "Nicolas" == Nicolas Williams <Nicolas.Williams at sun.com> writes:
Nicolas> On Wed, Dec 03, 2008 at 11:12:43AM -0600, Nicolas
Nicolas> Williams wrote:
>> Note that having aliases which share the same longterm key as
>> another principal means that an attacker can undetectably
>> change the sname in the unauthenticated plain-text part of the
>> Ticket. (The sname is not repeated inside the Ticket nor in
>> the Authenticator.) I'm not sure that such an attack is
>> terribly interesting, UNLESS the service is going to make
>> authorization decisions according to the name by which it was
>> called.
Nicolas> Oh, of course, if we're talking about case and
Nicolas> normalization differences then never mind.
Well, it's bigger than that. Since the sname is not protected, having any two services that share the same long-term key means they are indistinguishable.
If they are aliases, this seems entirely reasonable: it's the point of
them being aliases--names for each other.
It seems like a very bad idea to have two principals that share the same key and are not aliases.
More information about the krbdev
mailing list