[1697] in Kerberos
Re: login passwords from kerberos?
daemon@ATHENA.MIT.EDU (Theodore Ts'o)
Tue Jan 7 12:20:40 1992
Date: Tue, 7 Jan 92 11:49:47 -0500
From: tytso@Athena.MIT.EDU (Theodore Ts'o)
To: jh@efd.lth.se
Cc: kerberos@Athena.MIT.EDU
In-Reply-To: Joergen Haegg's message of Tue, 7 Jan 1992 09:53:34 MET,
Reply-To: tytso@Athena.MIT.EDU
From: jh@efd.lth.se (Joergen Haegg)
Date: Tue, 7 Jan 1992 09:53:34 MET
Is it possible to make the login-program in the telnet-directory
to use the kerberos password instead of /etc/passwd?
Or is that still considered unsafe?
(By spoofing the kerberos server.)
It depends. If the login program is using the kerberos password as
typed by the user in the clear, over the telnet channel, and you do not
have a srvtab on that machine, the answer is yes, and it will always be
yes.
The reason for this is that the way it "uses the kerberos password" is
to attempt to get ticket-granting-tickets from the Kerberos server, and
then decrypt them with the user's password. If the result looks sane,
then it is assumed that the password must be good. The problem is that
unless you actually use the tickets, they may have been provided by an
attacker who encrypted some things that looked like tickets in the
password of his choice. Of course, the first time you use the phony
tickets you will find out very quickly that they don't work --- but a
program which just assumes if it can decrypt the ticket-granting ticket,
the user must be legitimate can be mislead. A program which tries to do
this is really using the Kerberos protocol in a way which it was not
design, so it really has "voided the warranty" and isn't guaranteed to
be secure (and it isn't).
The machine has a srvtab, it is possible for the program to use the
ticket-granting tickets to obtain an application ticket from the KDC,
and the program could then verify those tickets using the service key
found in the srvtab. This does close the hole, but there isn't a
convenient API in the Kerberos library to implement this, since this
really wasn't one of the original design goals of Kerberos.
If you're really interested, I can ship you a subroutine that I wrote
which does perform this check.
- Ted
P.S. I don't encourage the use of passwords over the network, since
someone with a Macintosh on your network running Etherpeek could capture
your password --- it's a very friendly, commercially available program;
very little wizardry is required. Whether the password is a "Kerberos
password" or an /etc/passwd password doesn't make a difference. It
would be better to use a Kerberos mediated authentication via telnet or
rlogin instead of depending on passwords being sent over the network in
the clear.
