Initial Auth Realm Fall-back
Nico Williams
nico at cryptonector.com
Thu Aug 22 18:22:43 EDT 2013
On Thu, Aug 22, 2013 at 3:45 PM, Shawn M Emery <shawn.emery at oracle.com> wrote:
> For environments that _do_ happen to have user principal name collisions
> between realms this would not have any more impact on n-strikes for any
> random default realm given that any decrypt integrity error code
> returned would short-circuit the realm fall-back. As mentioned above,
> the only time the fall-back realm would be used is when the unknown
> principal error code is returned.
Any incorrect password usage has N-strikes impact. Of course, that's
more a reflection on the utter stupidity that is N-strikes: a willful
DoS vulnerability.
Still, it's a real impact.
To recap the discussion we had the other day, IMO:
- Heimdal and MIT should both implement a single-valued user_realm
paramater for use in qualifying otherwise realm-less unparsed
principal names in krb5_get_init_creds*() callers (possibly also
including gss_acquire_cred_with_password()).
- Any multi-valued user_realm support should not be documented OR the
documentation should advise users against it.
- Heimdal and MIT should also support UPNs in krb5_get_init_creds*(),
with canonicalization, of course, and pam-krb5 modules should use this
to update PAM_USER, and should have an option to allow username at domain
forms of canonical usernames. On systems where there is appropriate
name service and ID mapping functionality this will permit
multi-domain user support, which I'm sure Solaris and Linux users
would all very much like to have.
Nico
--
More information about the krbdev
mailing list