Securing the keytabs of host-based principals

[John Devitofranceschi]

It is a common convention to have service principal names of the form service/fqdn at REALM.

It is also common for these SPNs to have keytab files on the servers that run the services they’re associated with.

Sometimes it is necessary for these keytabs to be used for authentication.

I was thinking that is would be a good thing to be able to verify that an authentication request for a principal like service/fqdn  was actually coming from the fqdn in the principal name. Certainly this check can be done by looking at the ISSUE KDC log message since both the requesting principal name and the requesting ip address are in the log. But by then it’s too late.

Would it be possible/desirable/sensible to have a new attribute (or flag) that designates a principal to be a host-based principal that follows standard conventions? When the KDC sees a ticket request from a principal with this attribute, an additional check will verify that the source address of the request maps to the fqdn in the principal.

Additionally a kdc.conf variable could be defined that controls the behavior of this check when it fails: warn (the default) or deny.

This would allow operators to (at least) easily detect if any keytabs are being used on hosts for which they were not intended. 

jd

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2393 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/krbdev/attachments/20160706/75083cd8/attachment.bin