[27304] in Kerberos

home help back first fref pref prev next nref lref last post

Re: Solaris 9 latest OEM SSH + pam_krb5.so.1

daemon@ATHENA.MIT.EDU (Jeffrey Hutzelman)
Tue Jan 30 10:44:16 2007

Date: Tue, 30 Jan 2007 10:42:03 -0500
From: Jeffrey Hutzelman <jhutz@cmu.edu>
To: Jeff Blaine <jblaine@kickflop.net>
Message-ID: <2874FF40049279FF16B8F31B@sirius.fac.cs.cmu.edu>
In-Reply-To: <45B132A4.8000704@kickflop.net>
MIME-Version: 1.0
Content-Disposition: inline
Cc: Jeffrey Hutzelman <jhutz@cmu.edu>, kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu



On Friday, January 19, 2007 04:05:40 PM -0500 Jeff Blaine 
<jblaine@kickflop.net> wrote:

>             Setting this value to  false  leaves
>             the  system  vulnerable  to DNS spoofing attacks.

This somewhat understates the problem, and IMHO doesn't do a very good job 
of describing what is going on here.  Basically, the idea is that if you 
are going to let a user log in by typing his Kerberos password, you want to 
be sure the resulting TGT was issued by a real TGT.  The way you do this is 
by getting a service ticket for some service whose key you know, and 
checking that the ticket is valid.

Setting this option to false disables that check, which means that a user 
can log in by putting a fake KDC on the network typing a username and 
password, and arranging for his fake KDC's response to reach you before the 
real one.  This often isn't very hard, especially if the user has physical 
access to the machine's network connection.

The "DNS spoofing attacks" referred to in the documentation are on the 
lookup of the KDC's address - one way to insert a fake KDC is to convince 
your machine to send its KDC requests to the wrong IP address.  But there 
are plenty of other attacks which do not involve DNS and are often 
available to an attacker trying to log in on the console of a machine.



> 3.  My /etc/krb5/krb5.keytab *does* have (and has always had)
>      entries for both host/test.foo.com@JBTEST and
>      host/192.168.168.100@JBTEST

Is JBTEST configured as the default realm in krb5.conf?
Do you have a domain_realm section mapping test.foo.com to JBTEST?
Is the krb5.conf file in the right place?


-- Jeff
________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

home help back first fref pref prev next nref lref last post