[PATCH] Add support for using server supplied principal (mic option)

Andrew Bartlett abartlet at samba.org
Mon Aug 25 04:02:16 GMT 2008

On Sun, 2008-08-24 at 23:49 -0400, simo wrote:
> On Mon, 2008-08-25 at 02:38 +0100, Love Hörnquist Åstrand wrote:
> > 25 aug 2008 kl. 02.25 skrev Jeff Layton:
> > 
> > > Everything I've read does say that windows clients don't use the
> > > contents of the MIC field. The idea was that this would be useful for
> > > allowing kerberos auth in situations where clients and servers have
> > > differing ideas about the hostname of the server (either broken DNS or
> > > maybe trying to mount a CNAME).
> > 
> > Semi modern windows servers doesn't put a hostname there, so it wont  
> > be much use either.
> > 
> > Windows just assume if you can look up the name, the same name will be  
> > in the SPN in the ldap.
> > 
> > > I'll confess though that I haven't thought through the security
> > > implications fully here. Obviously, we don't want to do this if it's
> > > dangerous...
> > >
> > > So that I understand correctly, what exactly is the risk of using the
> > > server-provided principal?
> > 
> > You try to connect to host/my.secrets.com at GOOD.COM, but since the host  
> > announces
> > host/will.fake.your.data.secrets.com at GOOD.COM you'll use that instead  
> > and never notice that you talk to wrong host.
> Love,
> this would be true if we used the name returned to connect to a
> different host.
> But we only do use it to get a ticket, we do not use the name to resolve
> an IP to which to connect as we are already connected to the host.
> Now, assuming the connection is already established, what would be the
> risk if the server is telling us the wrong name? The ticket we get from
> the KDC (after the connection is established) will work only if the
> server we are connected to actually has the corresponding keytab.
> Is there an attack vector that could be used here if the ticket we try
> to use is not in fact the one we should use ?

So, Malory has corrupted a workstation, Charlie, that was left
unattended at a train station.  

Alice is trying to log onto her corporate network, to download group
polices from the server, Bob.  However, because Malory has intercepted
the communications, he tells Alice to ask for access to Charlie (for
which he knows the keytab), not Bob.  

Malory can now intercept and interfere with the 'signed' communications
between Alice and what she thinks is Bob, without knowing Bob's keytab. 

Andrew Bartlett

Andrew Bartlett
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20080825/28dfd738/attachment.bin

More information about the samba-technical mailing list