Date: Wed, 16 Aug 2017 10:52:54 -0700 From: Russ Allbery <eagle@...ie.org> To: Florian Weimer <fweimer@...hat.com> Cc: oss-security@...ts.openwall.com Subject: Re: Insecure DNS dependency in many Kerberos deployments Florian Weimer <fweimer@...hat.com> writes: > As a rule of thumb, the impact is similar to running TLS with CA-based > certificate validation, but without host name checks (but perhaps > slightly less because the trust domains could be much smaller). I think this overstates the impact somewhat. This is more worrisome with TLS because for most TLS applications there is a single global trust domain with certificates issued by dozens or hundreds of parties and no organizational scoping. This is *not* the case for Kerberos. To exploit this flaw in Kerberos, the attacker has to be able to control service principals (for the same target service with a different hostname) within the same Kerberos realm (or, in some circumstances, one reachable by cross-realm trust). This is a much higher bar to meet, and in a lot of organizations this bar cannot be easily met by an attacker. The attack is definitely possible, and the Kerberos community has been aware of this problem for a long time (there are a lot of difficult issues involved in closing it, but everyone has wanted to close it), but it's not as exploitable as the TLS equivalent (at least in the absence of organizational cert pinning). > The Kerberos client library enables this canonicalization by default: > dns_canonicalize_hostname > Indicate whether name lookups will > be used to canonicalize hostnames > for use in service principal names. > Setting this flag to false can > improve security by reducing > reliance on DNS, but means that > short hostnames will not be canoni‐ > calized to fully-qualified host‐ > names. The default value is true. > rdns If this flag is true, reverse name > lookup will be used in addition to > forward name lookup to canonicaliz‐ > ing hostnames for use in service > principal names. If dns_canonical‐ > ize_hostname is set to false, this > flag has no effect. The default > value is true. For the record, those are settings for *a* Kerberos client library, not *the* Kerberos client library (specifically, the MIT Kerberos implementation). Heimdal does not use those settings, and there are other Kerberos implementations as well. -- Russ Allbery (eagle@...ie.org) <http://www.eyrie.org/~eagle/>
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.