Date: Thu, 16 May 2002 20:19:14 -0500 From: "Jacques A. Vidrine" <[EMAIL PROTECTED]>
On Thu, May 16, 2002 at 09:04:00PM -0400, Lawrence Greenfield wrote: > Hopefully the Kerberos clarifications in the krb-wg will address this > issue and MIT will change their implementation.. Change it how? By not using DNS to construct service principals. Currently, when a request for (say) "[EMAIL PROTECTED]" is made, the MIT GSS/Kerb implementations performs a forward looku of "ad.cmu.edu" and then a reverse lookup of the answer (say "fred.ad.cmu.edu") and then requests a ticket for the service principal "ldap/fred.ad.cmu.edu". Since DNS is an insecure mechanism (an attacker could substitute "myevilmachine.cmu.edu" for "fred.ad.cmu.edu" in the DNS response) this leads to a vulnerability. Microsoft Kerberos implementations aren't subject to this attack. Larry ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] http://mailman.mit.edu/mailman/listinfo/kerberos
