Date: Wed, 16 Aug 2017 09:11:41 -0400 From: Daniel Kahn Gillmor <dkg@...thhorseman.net> To: Florian Weimer <fweimer@...hat.com>, oss-security@...ts.openwall.com Subject: Re: Insecure DNS dependency in many Kerberos deployments On Wed 2017-08-16 10:50:33 +0200, Florian Weimer wrote: > By default, Kerberos clients perform host name canonicalization (search > path resolution, CNAME chain chasing and PTR lookups) to obtain a > service principal name. This allows service impersonification: This is a long-standing security flaw in kerberos, and i think it has probably been stumbled across by anyone who has tried to deploy a new kerberos environment. (i know, because i did, many many years ago) It's particularly bad that this is the default for new deployments because novices deploying a new kerberos domain are unlikely to deviate from the defaults out of fear of breaking something. The result is that nearly every single krb5 deployment has this bug. The band-aid needs to have been pulled off ages ago so that it's fixed for new deployments, and legacy deployments need to explicitly enable it if they need it. Alas, I don't know how to make this transition happen smoothly :( > Some deployments have implemented compatibility with > dns_canonicalize_hostname = false by moving the canonicalization to the > application instead, which is of course equally insecure: Thanks for noticing these, Florian. This is a disturbing trend: backflow of security flaws as they get fixed in one place for "compatibility" in another. :/ --dkg Download attachment "signature.asc" of type "application/pgp-signature" (833 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ