[PATCH] Add support for using server supplied principal (mic
option)
simo
idra at samba.org
Mon Aug 25 04:08:18 GMT 2008
On Mon, 2008-08-25 at 14:02 +1000, Andrew Bartlett wrote:
> On Sun, 2008-08-24 at 23:49 -0400, simo wrote:
> > On Mon, 2008-08-25 at 02:38 +0100, Love Hörnquist Åstrand wrote:
> > > 25 aug 2008 kl. 02.25 skrev Jeff Layton:
> > >
> > > > Everything I've read does say that windows clients don't use the
> > > > contents of the MIC field. The idea was that this would be useful for
> > > > allowing kerberos auth in situations where clients and servers have
> > > > differing ideas about the hostname of the server (either broken DNS or
> > > > maybe trying to mount a CNAME).
> > >
> > > Semi modern windows servers doesn't put a hostname there, so it wont
> > > be much use either.
> > >
> > > Windows just assume if you can look up the name, the same name will be
> > > in the SPN in the ldap.
> > >
> > > > I'll confess though that I haven't thought through the security
> > > > implications fully here. Obviously, we don't want to do this if it's
> > > > dangerous...
> > > >
> > > > So that I understand correctly, what exactly is the risk of using the
> > > > server-provided principal?
> > >
> > > You try to connect to host/my.secrets.com at GOOD.COM, but since the host
> > > announces
> > > host/will.fake.your.data.secrets.com at GOOD.COM you'll use that instead
> > > and never notice that you talk to wrong host.
> >
> > Love,
> > this would be true if we used the name returned to connect to a
> > different host.
> > But we only do use it to get a ticket, we do not use the name to resolve
> > an IP to which to connect as we are already connected to the host.
> >
> > Now, assuming the connection is already established, what would be the
> > risk if the server is telling us the wrong name? The ticket we get from
> > the KDC (after the connection is established) will work only if the
> > server we are connected to actually has the corresponding keytab.
> >
> > Is there an attack vector that could be used here if the ticket we try
> > to use is not in fact the one we should use ?
>
> So, Malory has corrupted a workstation, Charlie, that was left
> unattended at a train station.
>
> Alice is trying to log onto her corporate network, to download group
> polices from the server, Bob. However, because Malory has intercepted
> the communications, he tells Alice to ask for access to Charlie (for
> which he knows the keytab), not Bob.
>
> Malory can now intercept and interfere with the 'signed' communications
> between Alice and what she thinks is Bob, without knowing Bob's keytab.
Yeah got it right after I hit send, it's late here after all, and the
brains was sloooow :-)
See the mail I sent just after the one you answer to here.
Simo.
--
Simo Sorce
Samba Team GPL Compliance Officer <simo at samba.org>
Senior Software Engineer at Red Hat Inc. <simo at redhat.com>
More information about the samba-technical
mailing list