Proposed modifications to replay cache to prevent false positives
Will Fiveash
William.Fiveash at sun.com
Thu May 22 13:45:44 EDT 2008
On Thu, May 22, 2008 at 03:03:09AM -0400, Roland Dowdeswell wrote:
> On 1211429804 seconds since the Beginning of the UNIX epoch
> Nicolas Williams wrote:
> >
>
> >I should add that I doubt that mixing of server krb5 implementations
> >sharing one principal happens much.
> >
> >Also, Heimdal has a different rcache format. So, I suspect there's no
> >real need to be backwards compatible with rcache file formats, but then,
> >to be conservative we can just retain an option for compat.
>
> At work, I certainly share rcaches between different krb5
> implementations on, I think, at least over 20K machines.
This seems risky to me if I understand the above. Note that the default
location for rcaches in Solaris is under /var/krb5/rcache which may
differ from other krb implementations. If one is running services using
krb auth with differing krb implementations but using a common service
principal care should be taken to configure the various krb flavors to
use a common rcache (assuming they all support the same rcache format).
Otherwise a replay attack is possible if the services are using
different rcaches for the same service principal.
--
Will Fiveash
Sun Microsystems Inc.
http://opensolaris.org/os/project/kerberos/
More information about the krbdev
mailing list