Security with Samba 3.0 and Kerberos

Andrew Bartlett abartlet at samba.org
Sun Apr 6 02:08:41 GMT 2003 

On Sun, 2003-04-06 at 09:07, Love wrote:
> Antti Tikkanen <antti.tikkanen at hut.fi> writes:
> 
> > Hi all,
> >
> > I have not seen any discussion about how secure Kerberos authentication
> > is when used with a Samba 3.0 server. After some tests mainly on replay
> > attacks I do have a few concerns.
> >
> > The 3.0 alpha versions of Samba do not seem to cache used authenticators?
> > This combined with the fact that if a W2k Server is acting as KDC, the
> > Kerberos tickets will *not* include IP addresses makes a replay attack really,
> > really easy. The time skew limit is absolutely not enough. All I need to do
> > is listen in to the session setup andX and use a slightly modified client
> > to replay the KRB_AP_REQ and log in with someone else's credentials.
> >
> > Effectively this makes Kerberos authentication as secure as plaintext
> > passwords over the network, or would you agree?
> 
> Assuming you know the key that inside the authenticator, protocols that
> doesn't provide integrity checking are broken by design, adding kerberos
> replay cache wont really help.

Welcome to CIFS! ;-)

> Reply caching protects you (when you have a integrity checked protocol)
> agaist replying operations. You can make the server do the same thing as i
> did last time.

Well, with CIFS we can probably play a few games here - if we are
worried about reply attacks on a *signed* connection, we just need to
generate 'random' vuids and tids.  The client has to reply them, and
this should be sufficient to throw it off.  (This is only an issue with
kerberos connections, because with NTLM they would not get the same
challenge.  Or does the kerberos server authenticator already include
this kind of value?  

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20030406/e4269b5f/attachment.bin

More information about the samba-technical mailing list