question about krb5_verify_init_creds() and verify_ap_req_nofail

[Will Fiveash]

On Tue, Jan 11, 2011 at 06:51:18PM -0500, Sam Hartman wrote:
> 
> This is the designed behavior of the code.  The reason that verify_creds
> does not always fail is that some machines are not keyed.  To provide a
> secure environment, you want the ability to assert that all your
> machines will be keyed in a configuration file.
> 
> However, if a key is present, it provides better security (and defense
> against an important attack) to use it.  If the key is bogus, the
> administrator should delete it.

I've been thinking about the MIT default behavior here which assumes
verify_ap_req_nofail is not set (i.e. false) and I have a concern.
Assume an admin initially sets up a system with a host service key in
the keytab and doesn't bother to explicitly set verify_ap_req_nofail to
true in krb5.conf, if that system's hostname or realm changes and the
admin forgets to ktadd a new host service princ key then that system is
now vulnerable to KDC spoofing, correct?  If that is true, shouldn't the
MIT default be more restrictive and require and admin to explictly set
verify_ap_req_nofail to false in krb5.conf if they are less concerned
about KDC spoofing?  Note, this is the Solaris default behavior.

-- 
Will Fiveash
Oracle
http://opensolaris.org/os/project/kerberos/
Sent using mutt, a sweet, text based e-mail app <http://www.mutt.org/>