Re: Insecure DNS dependency in many Kerberos deployments

[Daniel Kahn Gillmor <dkg () fifthhorseman net>]

On Wed 2017-08-16 10:50:33 +0200, Florian Weimer wrote:
> By default, Kerberos clients perform host name canonicalization (search
> path resolution, CNAME chain chasing and PTR lookups) to obtain a
> service principal name.  This allows service impersonification:

This is a long-standing security flaw in kerberos, and i think it has
probably been stumbled across by anyone who has tried to deploy a new
kerberos environment.  (i know, because i did, many many years ago)

It's particularly bad that this is the default for new deployments
because novices deploying a new kerberos domain are unlikely to deviate
from the defaults out of fear of breaking something.  The result is that
nearly every single krb5 deployment has this bug.

The band-aid needs to have been pulled off ages ago so that it's fixed
for new deployments, and legacy deployments need to explicitly enable it
if they need it.

Alas, I don't know how to make this transition happen smoothly :(

> Some deployments have implemented compatibility with
> dns_canonicalize_hostname = false by moving the canonicalization to the
> application instead, which is of course equally insecure:

Thanks for noticing these, Florian.  This is a disturbing trend:
backflow of security flaws as they get fixed in one place for
"compatibility" in another. :/

      --dkg

Attachment: signature.asc
Description: