Disable the krb5 replay cache when ads_verify_ticket() call from winbindd_pam.c

Gerald (Jerry) Carter jerry at samba.org
Tue Jun 5 19:06:39 GMT 2007


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Folks,

Here's a small patch that disables the libkrb5.so replay
cache when verifying a ticket from winbindd_pam.c.
I've found during multiple, fast, automated SSH logins (such
as from a cron script) that the replay cache in MIT's krb5
lib will occasionally fail the krb5_rd_req() as a replay attack.

There seems to be a small window during which the MIT krb5
libs could reproduce identical time stamps for ctime and cusec
in the authenticator since Unix systems only give back
milli-seconds rather than the micro-seconds needed by the
authenticator.  Checked against MIT 1.5.1.  Have not
researched how Heimdal does it.

My thinking is that if someone can spoof the KDC and TDS
services we are pretty hopeless anyways.

I have customers hitting this now so it's a real issue.
Maybe this should be configurable and always use the rcache
by default.  Comments ?



cheers, jerry
=====================================================================
Samba                                    ------- http://www.samba.org
Centeris                         -----------  http://www.centeris.com
"What man is a man who does not make the world better?"      --Balian
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGZbQ/IR7qMdg1EfYRAqvJAJ9fKdqKPZ2Zmv+849tQC5aeBAMqBwCfescJ
DhYRjLlJxVzOV+gUEOZHSq8=
=jeDy
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: disable_rcache_option.patch
Type: text/x-patch
Size: 6023 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20070605/5675ae4b/disable_rcache_option.bin


More information about the samba-technical mailing list