[PATCH] Fix SPNEGO interoperability with servers implementing RFC2478

Nico Williams nico at cryptonector.com
Mon Aug 4 19:02:55 EDT 2014

On Mon, Aug 4, 2014 at 5:53 PM, David Woodhouse <dwmw2 at infradead.org> wrote:
> It's not clear that there's *any* way a client can safely infer from the
> NTLMSSP exchange that a server really *is* one of the RFC2478ish Windows
> versions. Any feature we use to detect a 'newer' server can be disabled
> by the attacker¹, AFAICT. I can't see a better option than just to allow
> fallback without REQUEST-MIC but *only* to NTLMSSP. And perhaps only if
> enabled by a krb5.conf option? Either abusing allow_weak_crypto or
> adding something more appropriate...

That seems reasonable to me, yes.

If you're willing to fallback on a mechanism that can't do integrity
protection then you can't have downgrade detection.

Of course, if you have credentials for a mechanism like Kerberos that
can tell you a priori that you stand a good chance of succeeding, and
it does tell you that, then you shouldn't offer any other mechanisms
weaker than Kerberos.  (This is a common idiom in SSHv2 GSS key
exchange clients: call gss_init_sec_context() first, and if that
doesn't fail, offer the mechanism, else don't.)


More information about the krbdev mailing list