Re: Insecure DNS dependency in many Kerberos deployments

[Daniel Kahn Gillmor <dkg () fifthhorseman net>]

On Wed 2017-08-16 10:52:54 -0700, Russ Allbery wrote:
> Florian Weimer <fweimer () redhat com> writes:
>
> > As a rule of thumb, the impact is similar to running TLS with CA-based
> > certificate validation, but without host name checks (but perhaps
> > slightly less because the trust domains could be much smaller).
>
> I think this overstates the impact somewhat.  This is more worrisome with
> TLS because for most TLS applications there is a single global trust
> domain with certificates issued by dozens or hundreds of parties and no
> organizational scoping.

fwiw, I think that's what Florian means by his parenthetical aside.

> This is a much higher bar to meet, and in a lot of organizations this
> bar cannot be easily met by an attacker.

While i understand the desire to be clear about the constrained scope of
the risk, i think another way of saying what you're saying is "control
over one service in a domain and the ability to poison the DNS allows
that service operator to masquerade as any other service in the domain".

Even for domains where a single administrator controls all machines,
this violates principles of privilege separation that admins rely on to
be able to deploy potentially-buggy services without putting the other
services at risk.

So i think it's worth taking this seriously, despite(?) its age and
widespread deployment.

> For the record, those are settings for *a* Kerberos client library,
> not *the* Kerberos client library (specifically, the MIT Kerberos
> implementation).  Heimdal does not use those settings, and there are
> other Kerberos implementations as well.

The fact that some client libraries *don't* do this should give us hope
that it's fixable, even in existing deployments :)

     --dkg

Attachment: signature.asc
Description: