clock skew and preauth
Tom Yu
tlyu at MIT.EDU
Sun Apr 15 23:52:30 EDT 2012
Greg Hudson <ghudson at MIT.EDU> writes:
> I have one concern about this approach, which is that an attacker could
> create a false log entry for a successful preauthentication on the KDC
> by forging the timestamp in a preauth-required error. That is, you
> attempt to kinit at noon; I forge a timestamp of 11pm in the
> preauth-required error and capture your preauthenticated request; then
> at 11pm I send that request to the KDC to make it look like you
> authenticated at that time.
>
> This isn't necessarily a serious enough vulnerability to worry about
> (when the alternative is for preauth to just fail with skewed clocks),
> but I want to raise the issue before taking the patch.
I think it's OK as long as we clearly communicate the auditing
consequences in our documentation and elsewhere. Does anyone see a
security consequence besides auditing?
More information about the krbdev
mailing list