Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 16 Aug 2017 09:11:41 -0400
From: Daniel Kahn Gillmor <>
To: Florian Weimer <>,
Subject: Re: Insecure DNS dependency in many Kerberos deployments

On Wed 2017-08-16 10:50:33 +0200, Florian Weimer wrote:
> By default, Kerberos clients perform host name canonicalization (search
> path resolution, CNAME chain chasing and PTR lookups) to obtain a
> service principal name.  This allows service impersonification:

This is a long-standing security flaw in kerberos, and i think it has
probably been stumbled across by anyone who has tried to deploy a new
kerberos environment.  (i know, because i did, many many years ago)

It's particularly bad that this is the default for new deployments
because novices deploying a new kerberos domain are unlikely to deviate
from the defaults out of fear of breaking something.  The result is that
nearly every single krb5 deployment has this bug.

The band-aid needs to have been pulled off ages ago so that it's fixed
for new deployments, and legacy deployments need to explicitly enable it
if they need it.

Alas, I don't know how to make this transition happen smoothly :(

> Some deployments have implemented compatibility with
> dns_canonicalize_hostname = false by moving the canonicalization to the
> application instead, which is of course equally insecure:

Thanks for noticing these, Florian.  This is a disturbing trend:
backflow of security flaws as they get fixed in one place for
"compatibility" in another. :/


Download attachment "signature.asc" of type "application/pgp-signature" (833 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.