On Mon, Oct 15, 2007 at 04:50:19PM -0400, Bill Sommerfeld wrote: > On Mon, 2007-10-15 at 15:36 -0500, Nicolas Williams wrote: > > That MIT supports a NONE rcache should be no excuse for Solaris > > supporting it too if any of the other options performs sufficiently > > well. > > It's been a while since I glued kerberos into a protocol, but my > recollection is that it is possible to do so (by including nonces or > channel-binding-like things into the authenticator) in a way that > renders the replay cache unnecessary. Any work done to manage a replay > cache for such an application would be 100% wasted.
Indeed it is, but not in the case of applications like TELNET, BSD r-cmd, FTP, or HTTP/Negotiate (although in the last protocol's case the situation is already compromised in other ways, such as by not providing mutual authentication nor any channel binding to TLS). The best example of an application that doesn't need an rcache is SSHv2, but because it shares a principal (host/...) with telnet and the others, it's still possible to attempt an MITM attack on SSHv2 (which will fail) and then re-use the AP-REQ from the SSHv2 client against telnet/... servers on the same target server. NFS w/ RPCSEC_GSS doesn't need an rcache either, provided that the "context handle" numbers assigned by the server in RPCSEC_GSS are always monotonically increasing. Nico --
