Security with Samba 3.0 and Kerberos

Andrew Bartlett abartlet at samba.org
Sat Apr 5 00:13:12 GMT 2003 

On Sat, 2003-04-05 at 06:12, Antti Tikkanen wrote:
> Hi all,
> 
> I have not seen any discussion about how secure Kerberos authentication
> is when used with a Samba 3.0 server. After some tests mainly on replay
> attacks I do have a few concerns.
> 
> The 3.0 alpha versions of Samba do not seem to cache used authenticators?
> This combined with the fact that if a W2k Server is acting as KDC, the
> Kerberos tickets will *not* include IP addresses makes a replay attack really,
> really easy. The time skew limit is absolutely not enough. All I need to do
> is listen in to the session setup andX and use a slightly modified client
> to replay the KRB_AP_REQ and log in with someone else's credentials.
> 
> Effectively this makes Kerberos authentication as secure as plaintext
> passwords over the network, or would you agree?
> 
> In contrast, a Windows 2000 Server will cache used authenticators. This
> makes things a little bit harder. Still, if a malicious user has access to
> the local network, capturing the KRB_AP_REQ and replaying it to the server
> before it has a chance to cache it is not a hard task.

That is a very interesting issue.  I don't believe it's been considered,
so some help in adding such a cache would be very useful.  

Given the race here, the most we can hope to do is deny the original
user's logon, which might (won't :-) give them a clue about what's going
on...

Likewise, I would like to implement a cache (PDC side this time) on used
NTLMv2 and LMv2 credentials.

I think the only way to 'fix' this would be to require SMB signing 
using kerberos (as an attacker would therefore not be able to craft any
packets, once authenticated).  This is an area of active interest for
me, and if you want to help with getting it going I would very much
appreciate it.

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20030405/4568d459/attachment.bin

More information about the samba-technical mailing list