[38747] in Kerberos
Re: rdns, past and future
daemon@ATHENA.MIT.EDU (Ken Dreyer)
Wed May 27 14:02:36 2020
MIME-Version: 1.0
In-Reply-To: <9d4eb6d7-2aec-47fb-767a-1f3b0855e331@secure-endpoints.com>
From: Ken Dreyer <ktdreyer@ktdreyer.com>
Date: Wed, 27 May 2020 11:59:46 -0600
Message-ID: <CAD3FbMUzw1z6oCdy=iwk2ODygZD5fEyNp+tqfkFgb+Z-h62qxw@mail.gmail.com>
To: Jeffrey Altman <jaltman@secure-endpoints.com>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Tue, May 26, 2020 at 4:59 PM Jeffrey Altman
<jaltman@secure-endpoints.com> wrote:
>
> On 5/26/2020 6:31 PM, Ken Dreyer wrote:
> > On Tue, May 26, 2020 at 3:58 PM Jeffrey Altman
> > <jaltman@secure-endpoints.com> wrote:
> >>
> >> 2. Before the existence of DNS SRV records, CNAME records were the
> >> only method of offering a service on multiple hosts. However,
> >> its a poor idea to share the same key across all of the hosts.
> >
> > I'm curious about this. What makes it a poor idea?
> >
> > It seems like a very convenient way to scale a service up and down
> > dynamically quickly when you share a key among all instances.
>
> Because if you hack into one of the hosts you now have the key for all
> of the hosts. The holder of the key can forge tickets for any user.
This is true only if the administrator has enabled constrained
delegation for that key (eg. ok_to_auth_as_delegate) right? Is there
some other scenario I'm missing?
> Since the key isn't unique the entire distributed service has to be
> shutdown to address the vulnerability.
Ok, that makes sense. I was thinking of a homogeneous environment
where each app server runs the exact same versions of code, so an
attacker entry through a vulnerability on one system means that all
systems almost certainly have the same vulnerability.
> It is also much harder to trace where the key was stolen from.
Yeah, that's fair.
- Ken
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
