[27318] in Kerberos
Re: Solaris 9 latest OEM SSH + pam_krb5.so.1
daemon@ATHENA.MIT.EDU (Jeff Blaine)
Wed Jan 31 11:48:10 2007
Message-ID: <45C0C868.8020206@kickflop.net>
Date: Wed, 31 Jan 2007 11:48:40 -0500
From: Jeff Blaine <jblaine@kickflop.net>
MIME-Version: 1.0
To: Jeffrey Hutzelman <jhutz@cmu.edu>
In-Reply-To: <2874FF40049279FF16B8F31B@sirius.fac.cs.cmu.edu>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Jeffrey Hutzelman wrote:
> On Friday, January 19, 2007 04:05:40 PM -0500 Jeff Blaine
> <jblaine@kickflop.net> wrote:
>
>> Setting this value to false leaves
>> the system vulnerable to DNS spoofing attacks.
>
> This somewhat understates the problem, and IMHO doesn't do a very good
> job of describing what is going on here. Basically, the idea is that if
> you are going to let a user log in by typing his Kerberos password, you
> want to be sure the resulting TGT was issued by a real TGT. The way you
> do this is by getting a service ticket for some service whose key you
> know, and checking that the ticket is valid.
>
> Setting this option to false disables that check, which means that a
> user can log in by putting a fake KDC on the network typing a username
> and password, and arranging for his fake KDC's response to reach you
> before the real one. This often isn't very hard, especially if the user
> has physical access to the machine's network connection.
>
> The "DNS spoofing attacks" referred to in the documentation are on the
> lookup of the KDC's address - one way to insert a fake KDC is to
> convince your machine to send its KDC requests to the wrong IP address.
> But there are plenty of other attacks which do not involve DNS and are
> often available to an attacker trying to log in on the console of a
> machine.
Thanks for the more detailed explanation.
>> 3. My /etc/krb5/krb5.keytab *does* have (and has always had)
>> entries for both host/test.foo.com@JBTEST and
>> host/192.168.168.100@JBTEST
>
> Is JBTEST configured as the default realm in krb5.conf?
> Do you have a domain_realm section mapping test.foo.com to JBTEST?
> Is the krb5.conf file in the right place?
Yup
Yup
Yup
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos