Re: Insecure DNS dependency in many Kerberos deployments

[Russ Allbery <eagle () eyrie org>]

Florian Weimer <fweimer () redhat com> writes:

> As a rule of thumb, the impact is similar to running TLS with CA-based
> certificate validation, but without host name checks (but perhaps
> slightly less because the trust domains could be much smaller).

I think this overstates the impact somewhat.  This is more worrisome with
TLS because for most TLS applications there is a single global trust
domain with certificates issued by dozens or hundreds of parties and no
organizational scoping.  This is *not* the case for Kerberos.  To exploit
this flaw in Kerberos, the attacker has to be able to control service
principals (for the same target service with a different hostname) within
the same Kerberos realm (or, in some circumstances, one reachable by
cross-realm trust).  This is a much higher bar to meet, and in a lot of
organizations this bar cannot be easily met by an attacker.

The attack is definitely possible, and the Kerberos community has been
aware of this problem for a long time (there are a lot of difficult issues
involved in closing it, but everyone has wanted to close it), but it's not
as exploitable as the TLS equivalent (at least in the absence of
organizational cert pinning).

> The Kerberos client library enables this canonicalization by default:

>        dns_canonicalize_hostname
>               Indicate  whether  name lookups will
>               be used  to  canonicalize  hostnames
>               for  use in service principal names.
>               Setting  this  flag  to  false   can
>               improve    security    by   reducing
>               reliance  on  DNS,  but  means  that
>               short  hostnames will not be canoni‐
>               calized  to  fully-qualified   host‐
>               names.  The default value is true.

>        rdns   If this flag is true,  reverse  name
>               lookup  will  be used in addition to
>               forward name lookup to  canonicaliz‐
>               ing  hostnames  for  use  in service
>               principal names.  If  dns_canonical‐
>               ize_hostname  is  set to false, this
>               flag has  no  effect.   The  default
>               value is true.

For the record, those are settings for *a* Kerberos client library, not
*the* Kerberos client library (specifically, the MIT Kerberos
implementation).  Heimdal does not use those settings, and there are other
Kerberos implementations as well.

-- 
Russ Allbery (eagle () eyrie org)              <http://www.eyrie.org/~eagle/>