[23831] in Kerberos
Re: Denial of service when using Active Directory for KDC ?
daemon@ATHENA.MIT.EDU (jpbermejo)
Fri May 6 04:33:41 2005
From: jpbermejo <jpbermejo@prisacom.com>
To: Markus Moeller <huaraz@moeller.plus.com>,
Tim Alsop <Tim.Alsop@CyberSafe.Ltd.UK>
In-Reply-To: <427a879b$0$550$ed2e19e4@ptn-nntp-reader04.plus.net>
Content-Type: text/plain
Date: Fri, 06 May 2005 10:34:26 +0200
Message-Id: <1115368467.5377.21.camel@sist31lnx.prisacom.int>
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
cc: kerberos@mit.edu
Reply-To: jpbermejo@prisacom.com
Errors-To: kerberos-bounces@mit.edu
On Thu, 2005-05-05 at 21:52 +0100, Markus Moeller wrote:
> Tim,
> in our setup we use computer accounts instead of user accounts, and don't
> have experienced this issue. I think the latest ktpass can do this with
> mapuser having a $ at the end.
I don't know about computer accounts, but this DoS is not possible if
you are using service principals. Active Directory doesn't allow login
for service principals, and keytab are only useful to decrypt tickets.
Making an ldap query to AD, you can get things like
dNSHostName: sist03lnx.domain.com
userPrincipalName: HOST/sist03lnx@DOMAIN.COM
servicePrincipalName: HTTP/sist03lnx.domain.com
servicePrincipalName: HTTP/sist03lnx
In this case, only HOST/sist03lnx keytab works with `kinit -k`. If you
attempt to get a TGT with the other principals, you get nothing.
Javier Palacios
<DIV><FONT size="1">
============================================================================
This e-mail message and any attached files are intended SOLELY for the addressee/s identified
herein. It may contain CONFIDENTIAL and/or LEGALLY PRIVILEGED information and may not
necessarily represent the opinion of this company. If you receive this message in ERROR,
please immediately notify the sender and DELETE it since you ARE NOT AUTHORIZED to use,
disclose, distribute, print or copy all or part of the contained information. Thank you.
============================================================================
</FONT></DIV>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos