canonicalize, as_req, pa_svr_referral, pa_server_referral
hartmans at painless-security.com
Thu Dec 18 17:38:01 EST 2008
Luke, Ken, Tom and I are discussing this on Jabber.
Can you describe in more detail the netbios realm name situation?
It seems like several attacks are possible and I'd like to understand
why they are of no concern to windows or to what extent they exist.
In the password server case, if I can change the service you are connecting to so that it is one that I have compromised, it semes I'm likely to learn your new password.
What protects against this?
In the TGS case--that is AS to get a TGT--it seems like I can do some
damage by redirecting you to the wrong realm. If you're using pkinit,
I can give you a ticket even if I don't know your password. Then I
can direct you to fake servers of my choice. All I need is a KDC
certificate that you are willing to trust. So, for environments like
MIT, where we have realms like zone.mit.edu that are known to run at
very low assurance, if clients are willing to talk to these realms at
all, it seems problematic.
Even without pkinit, it seems like you can run into some problems if
you share a password.
More information about the krbdev