[29040] in Kerberos
Re: Is "SPN advertisement" or well-known SPNs a security hole?
daemon@ATHENA.MIT.EDU (Srinivas Kakde)
Mon Jan 14 22:31:28 2008
Date: Mon, 14 Jan 2008 17:39:04 -0800 (PST)
From: Srinivas Kakde <srinivas.kakde@yahoo.com>
To: Russ Allbery <rra@stanford.edu>
MIME-Version: 1.0
Message-ID: <497011.76106.qm@web46003.mail.sp1.yahoo.com>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Russ,
Thank you for responding.
Russ Allbery wrote:
> If the client trusts the server's assertion of what Kerberos service it
> is, a server with any service principal in either the client's realm or
a
> realm with which it has cross-realm trust can then pretend to be any
> service without failing mutual authentication.
Is this right? How does it not fail mutual authentication?
Does not mutual authentication requires exchange of AP-REQ and AP-REP. How would a malicious service (a service that pretending to be another service in the realm) acquire the session key from the ticket in the AP-REQ (from a client) to produce the EncAPRepPart of the AP-REP unless it has the right key in its keytab?
If a service advertise a service principal name and a client is able to use this name and obtain a valid AP-REQ, I think:
1) KDC/TGS must have an entry for the name (so that clients can obtain a service ticket for the AP-REQ)
2) Service must have the key that matches the name in its keytab (so it can extract session key from the service ticket and produce AP-REQ).
If you can (1) create account on KDC/TGS and (2) create keytab on the service host with the correct key to decrypt service tickets, you would need to be realm admin. Therefore not malicious?
----- Original Message ----
From: Russ Allbery <rra@stanford.edu>
To: Srinivas Kakde <srinivas.kakde@yahoo.com>
Cc: kerberos@mit.edu
Sent: Monday, January 14, 2008 3:37:07 PM
Subject: Re: Is "SPN advertisement" or well-known SPNs a security hole?
Srinivas Kakde <srinivas.kakde@yahoo.com> writes:
> There is an old posting to samba-technical
>
> http://lists.samba.org/archive/samba-technical/2007-July/054354.html
>
> This message says: From a security standpoint, allowing the server to
> specify its service principal is a "bad idea".
>
> Why it a bad idea?
If the client trusts the server's assertion of what Kerberos service it
is, a server with any service principal in either the client's realm or
a
realm with which it has cross-realm trust can then pretend to be any
service without failing mutual authentication.
--
Russ Allbery (rra@stanford.edu)
<http://www.eyrie.org/~eagle/>
____________________________________________________________________________________
Looking for last minute shopping deals?
Find them fast with Yahoo! Search. http://tools.search.yahoo.com/newsearch/category.php?category=shopping
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
