[PATCH] Add support for using server supplied principal (mic option)

simo idra at samba.org
Mon Aug 25 04:08:18 GMT 2008


On Mon, 2008-08-25 at 14:02 +1000, Andrew Bartlett wrote:
> On Sun, 2008-08-24 at 23:49 -0400, simo wrote:
> > On Mon, 2008-08-25 at 02:38 +0100, Love Hörnquist Åstrand wrote:
> > > 25 aug 2008 kl. 02.25 skrev Jeff Layton:
> > > 
> > > > Everything I've read does say that windows clients don't use the
> > > > contents of the MIC field. The idea was that this would be useful for
> > > > allowing kerberos auth in situations where clients and servers have
> > > > differing ideas about the hostname of the server (either broken DNS or
> > > > maybe trying to mount a CNAME).
> > > 
> > > Semi modern windows servers doesn't put a hostname there, so it wont  
> > > be much use either.
> > > 
> > > Windows just assume if you can look up the name, the same name will be  
> > > in the SPN in the ldap.
> > > 
> > > > I'll confess though that I haven't thought through the security
> > > > implications fully here. Obviously, we don't want to do this if it's
> > > > dangerous...
> > > >
> > > > So that I understand correctly, what exactly is the risk of using the
> > > > server-provided principal?
> > > 
> > > You try to connect to host/my.secrets.com at GOOD.COM, but since the host  
> > > announces
> > > host/will.fake.your.data.secrets.com at GOOD.COM you'll use that instead  
> > > and never notice that you talk to wrong host.
> > 
> > Love,
> > this would be true if we used the name returned to connect to a
> > different host.
> > But we only do use it to get a ticket, we do not use the name to resolve
> > an IP to which to connect as we are already connected to the host.
> > 
> > Now, assuming the connection is already established, what would be the
> > risk if the server is telling us the wrong name? The ticket we get from
> > the KDC (after the connection is established) will work only if the
> > server we are connected to actually has the corresponding keytab.
> > 
> > Is there an attack vector that could be used here if the ticket we try
> > to use is not in fact the one we should use ?
> 
> So, Malory has corrupted a workstation, Charlie, that was left
> unattended at a train station.  
> 
> Alice is trying to log onto her corporate network, to download group
> polices from the server, Bob.  However, because Malory has intercepted
> the communications, he tells Alice to ask for access to Charlie (for
> which he knows the keytab), not Bob.  
> 
> Malory can now intercept and interfere with the 'signed' communications
> between Alice and what she thinks is Bob, without knowing Bob's keytab. 

Yeah got it right after I hit send, it's late here after all, and the
brains was sloooow :-)
See the mail I sent just after the one you answer to here.

Simo.

-- 
Simo Sorce
Samba Team GPL Compliance Officer <simo at samba.org>
Senior Software Engineer at Red Hat Inc. <simo at redhat.com>



More information about the samba-technical mailing list