oss-sec mailing list archives
Re: Insecure DNS dependency in many Kerberos deployments
From: Daniel Kahn Gillmor <dkg () fifthhorseman net>
Date: Wed, 16 Aug 2017 09:11:41 -0400
On Wed 2017-08-16 10:50:33 +0200, Florian Weimer wrote:
By default, Kerberos clients perform host name canonicalization (search path resolution, CNAME chain chasing and PTR lookups) to obtain a service principal name. This allows service impersonification:
This is a long-standing security flaw in kerberos, and i think it has probably been stumbled across by anyone who has tried to deploy a new kerberos environment. (i know, because i did, many many years ago) It's particularly bad that this is the default for new deployments because novices deploying a new kerberos domain are unlikely to deviate from the defaults out of fear of breaking something. The result is that nearly every single krb5 deployment has this bug. The band-aid needs to have been pulled off ages ago so that it's fixed for new deployments, and legacy deployments need to explicitly enable it if they need it. Alas, I don't know how to make this transition happen smoothly :(
Some deployments have implemented compatibility with dns_canonicalize_hostname = false by moving the canonicalization to the application instead, which is of course equally insecure:
Thanks for noticing these, Florian. This is a disturbing trend: backflow of security flaws as they get fixed in one place for "compatibility" in another. :/ --dkg
Attachment:
signature.asc
Description:
Current thread:
- Insecure DNS dependency in many Kerberos deployments Florian Weimer (Aug 16)
- Re: Insecure DNS dependency in many Kerberos deployments Daniel Kahn Gillmor (Aug 16)
- Re: Insecure DNS dependency in many Kerberos deployments Russ Allbery (Aug 16)
- Re: Insecure DNS dependency in many Kerberos deployments Daniel Kahn Gillmor (Aug 16)
- Re: Insecure DNS dependency in many Kerberos deployments Russ Allbery (Aug 17)
- Re: Insecure DNS dependency in many Kerberos deployments Daniel Kahn Gillmor (Aug 16)