Date: Wed, 16 Aug 2017 09:11:41 -0400 From: Daniel Kahn Gillmor <dkg@...thhorseman.net> To: Florian Weimer <fweimer@...hat.com>, oss-security@...ts.openwall.com Subject: Re: Insecure DNS dependency in many Kerberos deployments On Wed 2017-08-16 10:50:33 +0200, Florian Weimer wrote: > By default, Kerberos clients perform host name canonicalization (search > path resolution, CNAME chain chasing and PTR lookups) to obtain a > service principal name. This allows service impersonification: This is a long-standing security flaw in kerberos, and i think it has probably been stumbled across by anyone who has tried to deploy a new kerberos environment. (i know, because i did, many many years ago) It's particularly bad that this is the default for new deployments because novices deploying a new kerberos domain are unlikely to deviate from the defaults out of fear of breaking something. The result is that nearly every single krb5 deployment has this bug. The band-aid needs to have been pulled off ages ago so that it's fixed for new deployments, and legacy deployments need to explicitly enable it if they need it. Alas, I don't know how to make this transition happen smoothly :( > Some deployments have implemented compatibility with > dns_canonicalize_hostname = false by moving the canonicalization to the > application instead, which is of course equally insecure: Thanks for noticing these, Florian. This is a disturbing trend: backflow of security flaws as they get fixed in one place for "compatibility" in another. :/ --dkg Download attachment "signature.asc" of type "application/pgp-signature" (833 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.