[linux-cifs-client] Re: [PATCH] Add support for using server supplied principal (mic option)

[simo]

On Mon, 2008-08-25 at 02:38 +0100, Love Hörnquist Åstrand wrote:
> 25 aug 2008 kl. 02.25 skrev Jeff Layton:
> 
> > Everything I've read does say that windows clients don't use the
> > contents of the MIC field. The idea was that this would be useful for
> > allowing kerberos auth in situations where clients and servers have
> > differing ideas about the hostname of the server (either broken DNS or
> > maybe trying to mount a CNAME).
> 
> Semi modern windows servers doesn't put a hostname there, so it wont  
> be much use either.
> 
> Windows just assume if you can look up the name, the same name will be  
> in the SPN in the ldap.
> 
> > I'll confess though that I haven't thought through the security
> > implications fully here. Obviously, we don't want to do this if it's
> > dangerous...
> >
> > So that I understand correctly, what exactly is the risk of using the
> > server-provided principal?
> 
> You try to connect to host/my.secrets.com at GOOD.COM, but since the host  
> announces
> host/will.fake.your.data.secrets.com at GOOD.COM you'll use that instead  
> and never notice that you talk to wrong host.

Love,
this would be true if we used the name returned to connect to a
different host.
But we only do use it to get a ticket, we do not use the name to resolve
an IP to which to connect as we are already connected to the host.

Now, assuming the connection is already established, what would be the
risk if the server is telling us the wrong name? The ticket we get from
the KDC (after the connection is established) will work only if the
server we are connected to actually has the corresponding keytab.

Is there an attack vector that could be used here if the ticket we try
to use is not in fact the one we should use ?

Simo.

-- 
Simo Sorce
Samba Team GPL Compliance Officer <simo at samba.org>
Senior Software Engineer at Red Hat Inc. <simo at redhat.com>