[1391] in Kerberos
Re: Verifying passwords without getting new tickets
daemon@ATHENA.MIT.EDU (Jon A. Rochlis)
Fri May 17 12:34:21 1991
From: jon@MIT.EDU (Jon A. Rochlis)
To: "Barr3y Jaspan" <bjaspan@ATHENA.MIT.EDU>
Cc: kctreima@eos.ncsu.edu (Kenneth C. Treimann), kerberos@ATHENA.MIT.EDU
In-Reply-To: Your message of Thu, 16 May 91 22:10:18 -0400.
Date: Fri, 17 May 91 11:44:36 EDT
Is there a way to verify a userid and password without getting a
new ticket-granting-ticket?
By definition, no. "Verifying a userid and a password" under Kerberos
is defined as asking the Kerberos server for a tgt and having it
successfully decrypted by the kinit/login program, using the password
provided by the user.
This is not true. Think about it. If you ask Kerberos for a initial
ticket (it need not be a TGT) and decrypt it, you have only made use
of *one* secret (the user's password). Kerberos is based upon shared
secrets. To identify a principle you need to have *two* secrets.
This is an example of the old ksu bug, where spoofing the KDC actually
buys you something. (I.e. I want to fool you into thinking I'm
George.Bush@WhiteHouse.GOV, so I tell you that's my name. You request
a TGT (or whatever) from Kerberos, but before Kerberos can respond
with a real ticket, I reply with a well formed ticket encrypted in the
password "millie", which I type in when your program asks. It will
decrypt just fine and dandy. If you tried to actually use the ticket,
the service you're trying to fool would reject it.) This is pretty
easy to do and has been demonstrated.
To be safe you must ask Kerberos for a ticket and then *use* it by
sending it to a service with it's own secret (service key) registered
with kerberos. Check out the sources for ksu. In order to be secure
you need to have a srvtab with rcmd.hostname for ksu to use (since ksu
is setuid it can keep the service key secret).
This is perhaps subtle, but very important. There is at least one
commercial implementation of Kerberos which is vulnerable to this
attack.
-- Jon
