[30037] in Kerberos
Re: Question about dns_lookup_realm and domain_realm
daemon@ATHENA.MIT.EDU (Ken Raeburn)
Fri Jun 27 11:33:33 2008
From: Ken Raeburn <raeburn@MIT.EDU>
To: Simo Sorce <ssorce@redhat.com>
In-Reply-To: <1214579831.3822.276.camel@localhost.localdomain>
Message-Id: <B25978A4-5510-461C-8127-28AB4F847251@mit.edu>
Mime-Version: 1.0 (Apple Message framework v924)
Date: Fri, 27 Jun 2008 11:32:28 -0400
Cc: kerberos@MIT.EDU
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@MIT.EDU
On Jun 27, 2008, at 11:17, Simo Sorce wrote:
> this statements is interesting, how are TXT records "insecure" ?
If a forged TXT RR is received, the client may be told the server is
in a different realm. That realm may have been compromised by an
attacker, and cross-realm authentication to it may be possible
(especially if and when we get something PKINIT-like deployed). So
the client can "successfully" authenticate to host/server.foo.com@BLACK-HATS.TLD
, and never know that that's not the principal it should be
authenticating to for server.foo.com.
> Isn't "validation" all about verifying the KDC is one we can really
> trust by using a trusted secret ?
Cross-realm authentication and the possibility of compromised
"neighbor" realms makes it much more complicated.
> How is local configuration data trustworthy given that to resolve
> names
> to IPs we still rely on DNS ?
Trusting address records from DNS, but not trusting DNS at all for
authentication purposes, would mean the attacker could get the client
to connect to server.black-hats.tld, but it would try authenticating
to the originally intended service principal; since the black hats
don't have the service key, it would fail, and the client should
disconnect. It's a denial of service, but not a transparent spoofing
of the service.
> Do we have information on which clients support referrals ?
Current Microsoft and MIT clients do, I wouldn't be surprised if
Heimdal does as well.
> And are they implemented in MIT KDC (and how) ?
Not yet. A basic implementation (using the domain_realm mapping from
the KDC's config files) is currently on my plate.
Ken
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
