[36929] in Kerberos
Re: theory behind unique SPNs
daemon@ATHENA.MIT.EDU (Nico Williams)
Fri Apr 24 18:25:01 2015
Date: Fri, 24 Apr 2015 17:24:48 -0500
From: Nico Williams <nico@cryptonector.com>
To: Ben H <bhendin@gmail.com>
Message-ID: <20150424222447.GB13852@localhost>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <CAAd7aub+h+8TiDLWH9+VB5JZLyG6j4MjeK594aRRVkcmnMHa=w@mail.gmail.com>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Fri, Apr 24, 2015 at 05:05:32PM -0500, Ben H wrote:
> Nico - I'm not sure I understand your redirection statement. Is this from
> a "man-in-the-middle" type perspective? The fact that each application
> communicates over a specific port would be enough to direct to the correct
> service, no?
Yes. No; I'm assuming no IPsec or anything else to provide protection
for TCP packets.
For some sets of protocols no redirection attack may be possible, but
ideally the name of the services being different -and their having
different keys- should ensure this for all possible sets of protocols on
a host.
Consider a database server running many users' databases. Surely you
want each user to have a different service name (and service
credentials) than all the others...
Not only that, to host many per-user services one needs to make key
management easy. One site I know of uses ${USER}.<server-fqdn> as the
hostnames for per-user services, and they happily let any user get keys
(different from the rest) for HTTP/${USER}.<server-fqdn> at the server's
realm.
Nico
--
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
