Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 16 Aug 2017 09:11:41 -0400
From: Daniel Kahn Gillmor <>
To: Florian Weimer <>,
Subject: Re: Insecure DNS dependency in many Kerberos deployments

On Wed 2017-08-16 10:50:33 +0200, Florian Weimer wrote:
> By default, Kerberos clients perform host name canonicalization (search
> path resolution, CNAME chain chasing and PTR lookups) to obtain a
> service principal name.  This allows service impersonification:

This is a long-standing security flaw in kerberos, and i think it has
probably been stumbled across by anyone who has tried to deploy a new
kerberos environment.  (i know, because i did, many many years ago)

It's particularly bad that this is the default for new deployments
because novices deploying a new kerberos domain are unlikely to deviate
from the defaults out of fear of breaking something.  The result is that
nearly every single krb5 deployment has this bug.

The band-aid needs to have been pulled off ages ago so that it's fixed
for new deployments, and legacy deployments need to explicitly enable it
if they need it.

Alas, I don't know how to make this transition happen smoothly :(

> Some deployments have implemented compatibility with
> dns_canonicalize_hostname = false by moving the canonicalization to the
> application instead, which is of course equally insecure:

Thanks for noticing these, Florian.  This is a disturbing trend:
backflow of security flaws as they get fixed in one place for
"compatibility" in another. :/


Download attachment "signature.asc" of type "application/pgp-signature" (833 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ