On Tue, Jun 27, 2017 at 05:44:25PM -0700, Russ Allbery wrote:
> Jeffrey Hutzelman <jh...@cmu.edu> writes:
> > ext_keytab is poorly-named. In MIT Kerberos, it doesn't actually extract
> > anything; it generates a new key with a new kvno and stores it in both
> > the keytab and the kdb. MIT kadmind, going back as far as krb4, didn't
> > even have an operation to fetch existing keys from the database; that
> > was considered an exceptionally dangerous ability and not really
> > necessary.
> > Heimdal initially took a different approach, which is still what
> > ext_keytab does by default, for backward compatibility and to avoid
> > unpleasantly-surprising results. With -r, it randomizes the key instead,
> > which is safer. Note that ext_keytab without -r will not work if you
> > don't have the get-keys privilege.
> > I have patches going back as far as Heimdal 0.6 which make get-keys a
> > separate privilege not included in 'all'. I didn't write the change that
> > eventually made it into Heimdal, but I certainly agree with it.
> +1. I was one of the people who asked for this. Extracting the key
> without changing it opens some nasty attack paths where an attacker can
> silently get a copy of the key currently in use and use that to snoop on
> traffic and forge sessions.
> If the attacker has to invalidate the old key in order to download new
> keys, the detection story is much better and the attacker is a bit more
> limited in what they can immediately do.
In many environments an admin can collate a copy of the KDB by just
visiting every host and hoovering up their keytabs. But they won't get
expunged old keys that way.
We do need better key mgmt support though. It'd nice to have automatic
rekeying and expunging of keys too old to be needed for decrypting
extant live tickets.
Some such software exists, such as Roland Dowdeswell's krb5_admin suite
(which does fantastic things, like using multi-party ECDH to atomically
agree on and install keys for clusters). But it'd be nice if Heimdal
had better support like that builtin.
We've made some progress in that direction, and the get-keys privilege
is one step in that direction.
The get-keys privilege is not a lot of pain for sites given that
ext_keytab will tell you what's up and there's a way to put things the
way they were if you need to.
I might be up for enhancing ext_keytab's error message to also mention
the -r option. But that's it.
We will not revisit the get-keys change, except, if anything, to someday
remove that and the original ext_keytab functionality!