Security with Samba 3.0 and Kerberos
abartlet at samba.org
Sat Apr 5 00:13:12 GMT 2003
On Sat, 2003-04-05 at 06:12, Antti Tikkanen wrote:
> Hi all,
> I have not seen any discussion about how secure Kerberos authentication
> is when used with a Samba 3.0 server. After some tests mainly on replay
> attacks I do have a few concerns.
> The 3.0 alpha versions of Samba do not seem to cache used authenticators?
> This combined with the fact that if a W2k Server is acting as KDC, the
> Kerberos tickets will *not* include IP addresses makes a replay attack really,
> really easy. The time skew limit is absolutely not enough. All I need to do
> is listen in to the session setup andX and use a slightly modified client
> to replay the KRB_AP_REQ and log in with someone else's credentials.
> Effectively this makes Kerberos authentication as secure as plaintext
> passwords over the network, or would you agree?
> In contrast, a Windows 2000 Server will cache used authenticators. This
> makes things a little bit harder. Still, if a malicious user has access to
> the local network, capturing the KRB_AP_REQ and replaying it to the server
> before it has a chance to cache it is not a hard task.
That is a very interesting issue. I don't believe it's been considered,
so some help in adding such a cache would be very useful.
Given the race here, the most we can hope to do is deny the original
user's logon, which might (won't :-) give them a clue about what's going
Likewise, I would like to implement a cache (PDC side this time) on used
NTLMv2 and LMv2 credentials.
I think the only way to 'fix' this would be to require SMB signing
using kerberos (as an attacker would therefore not be able to craft any
packets, once authenticated). This is an area of active interest for
me, and if you want to help with getting it going I would very much
Andrew Bartlett abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team abartlet at samba.org
Student Network Administrator, Hawker College abartlet at hawkerc.net
http://samba.org http://build.samba.org http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20030405/4568d459/attachment.bin
More information about the samba-technical