[29036] in Kerberos
Re: Is "SPN advertisement" or well-known SPNs a security hole?
daemon@ATHENA.MIT.EDU (Russ Allbery)
Mon Jan 14 18:23:09 2008
To: Srinivas Kakde <srinivas.kakde@yahoo.com>
In-Reply-To: <422369.96913.qm@web46012.mail.sp1.yahoo.com> (Srinivas Kakde's
message of "Mon\, 14 Jan 2008 13\:57\:55 -0800 \(PST\)")
From: Russ Allbery <rra@stanford.edu>
Date: Mon, 14 Jan 2008 14:37:07 -0800
Message-ID: <87tzlgniek.fsf@windlord.stanford.edu>
MIME-Version: 1.0
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Srinivas Kakde <srinivas.kakde@yahoo.com> writes:
> There is an old posting to samba-technical
>
> http://lists.samba.org/archive/samba-technical/2007-July/054354.html
>
> This message says: From a security standpoint, allowing the server to
> specify its service principal is a "bad idea".
>
> Why it a bad idea?
If the client trusts the server's assertion of what Kerberos service it
is, a server with any service principal in either the client's realm or a
realm with which it has cross-realm trust can then pretend to be any
service without failing mutual authentication.
--
Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
