Realm lookups again
Nicolas.Williams at sun.com
Wed Oct 1 18:47:29 EDT 2008
On Wed, Oct 01, 2008 at 06:40:07PM -0400, Greg Hudson wrote:
> Ignore _kerberos.domain TXT RRs for the moment.
> There are two parts to the Sun patch:
> 1. Implement the heuristic for host->realm
> 2. Determine default_realm by applying the heuristic to the host's
> interface names and DNS search path.
> Part 1 only uses DNS if dns_lookup_kdc is true (the default), so you're
> correct as far as that goes.
> By my reading, part 2 uses DNS to reverse-resolve the host's interfaces
> addresses if dns_lookup_realm is *false* (also the default). If you can
> subvert that reverse lookup, you can make the library try to use any
> realm it can successfully look up as the default.
> > The severity of such an attack depends on whether you trust EXAMPLE.COM
> > not to create host-based principals for hosts in bar.example.com. Now,
> > with this heuristic this is a determination of trust that one would have
> > to make for every domain/realm.
> For host->realm conversion, yes. For default_realm determination, I
> believe there are other attacks--mainly convincing a host not to do
> keytab verification because it can't find a suitable service key in its
> keytab for the (wrong) default realm.
IMO a host should never skip TGT verification for local logins. (That
should be the default anyways.) (Unless the TGT is obtained via PKINIT
or FAST w/ PKINIT w/ anon PKINIT client, so that the AS is explicitly
authenticated to the client host.)
> (That particular attack goes away if, as you suggest, we use the realm
> from the host's keytab entries in preference to information from DNS.)
More information about the krbdev