[17590] in Kerberos_V5_Development
Re: clock skew and preauth
daemon@ATHENA.MIT.EDU (Greg Hudson)
Sun Apr 15 18:38:06 2012
Message-ID: <4F8B4DC4.2020306@mit.edu>
Date: Sun, 15 Apr 2012 18:37:56 -0400
From: Greg Hudson <ghudson@mit.edu>
MIME-Version: 1.0
To: Stef Walter <stefw@gnome.org>
In-Reply-To: <4F7DC8EC.9090807@gnome.org>
Cc: krbdev@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
On 04/05/2012 12:31 PM, Stef Walter wrote:
> Attached is a patch which:
>
> * Stores a timestamp offset in krb5_clpreauth_rock when preauth is
> requested, and uses it during preauth encrypted timestamp.
> * Exposes a new callback for client preauth plugins. Suggested
> by Greg.
> * Refactors krb5_us_timeofday() so we don't copy paste around
> the offset calculation code.
> * Uses an offset because of the prompting delay problem [1]
> * Only enables preauth offsets if kdc_timesync != 0.
I have one concern about this approach, which is that an attacker could
create a false log entry for a successful preauthentication on the KDC
by forging the timestamp in a preauth-required error. That is, you
attempt to kinit at noon; I forge a timestamp of 11pm in the
preauth-required error and capture your preauthenticated request; then
at 11pm I send that request to the KDC to make it look like you
authenticated at that time.
This isn't necessarily a serious enough vulnerability to worry about
(when the alternative is for preauth to just fail with skewed clocks),
but I want to raise the issue before taking the patch.
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
