[2290] in Kerberos_V5_Development
Re: ["Tony Mione" ] DNS lookups for Host Realm information
daemon@ATHENA.MIT.EDU (Ken Hornstein)
Fri Mar 7 14:06:15 1997
To: Ezra Peisach <epeisach@MIT.EDU>
Cc: krbdev@MIT.EDU
In-Reply-To: Your message of "Fri, 07 Mar 1997 13:52:29 EST."
<9703071852.AA06380@kangaroo.mit.edu>
Date: Fri, 07 Mar 1997 14:04:07 -0500
From: Ken Hornstein <kenh@cmf.nrl.navy.mil>
>I believe, although I cannot prove it, that if I can spoof a DNS packet
>and fool a host into believing it is a host in my locally administrated
>kerberos realm that I could probably break in by fooling login.krb5 to
>talking to me for the initial TGT. If memory serves correctly, this
>would be sufficient to break into a machine (assuming the machine in
>question does not have a keytab).
Hmmmm ... now that I think about it, it wouldn't matter if there was
a keytab or not, would it? login.krb5 would try to look up the host
principal for "host/<host>@WRONG.REALM" in the keytab, not find it, and just
trust the initial TGT.
--Ken
