Russ,
Thank you for responding. Russ Allbery wrote: > If the client trusts the server's assertion of what Kerberos service it > is, a server with any service principal in either the client's realm or a > realm with which it has cross-realm trust can then pretend to be any > service without failing mutual authentication. Is this right? How does it not fail mutual authentication? Does not mutual authentication requires exchange of AP-REQ and AP-REP. How would a malicious service (a service that pretending to be another service in the realm) acquire the session key from the ticket in the AP-REQ (from a client) to produce the EncAPRepPart of the AP-REP unless it has the right key in its keytab? If a service advertise a service principal name and a client is able to use this name and obtain a valid AP-REQ, I think: 1) KDC/TGS must have an entry for the name (so that clients can obtain a service ticket for the AP-REQ) 2) Service must have the key that matches the name in its keytab (so it can extract session key from the service ticket and produce AP-REQ). If you can (1) create account on KDC/TGS and (2) create keytab on the service host with the correct key to decrypt service tickets, you would need to be realm admin. Therefore not malicious? ----- Original Message ---- From: Russ Allbery <[EMAIL PROTECTED]> To: Srinivas Kakde <[EMAIL PROTECTED]> Cc: [email protected] Sent: Monday, January 14, 2008 3:37:07 PM Subject: Re: Is "SPN advertisement" or well-known SPNs a security hole? Srinivas Kakde <[EMAIL PROTECTED]> writes: > There is an old posting to samba-technical > > http://lists.samba.org/archive/samba-technical/2007-July/054354.html > > This message says: From a security standpoint, allowing the server to > specify its service principal is a "bad idea". > > Why it a bad idea? If the client trusts the server's assertion of what Kerberos service it is, a server with any service principal in either the client's realm or a realm with which it has cross-realm trust can then pretend to be any service without failing mutual authentication. -- Russ Allbery ([EMAIL PROTECTED]) <http://www.eyrie.org/~eagle/> ____________________________________________________________________________________ Looking for last minute shopping deals? Find them fast with Yahoo! Search. http://tools.search.yahoo.com/newsearch/category.php?category=shopping ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
