[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: your mail
- To: tech_(_at_)_openbsd_(_dot_)_org
- Subject: Re: your mail
- From: Antoine Verheijen <antoine_(_at_)_nihon_(_dot_)_ucs_(_dot_)_ualberta_(_dot_)_ca>
- Date: Thu, 20 Jul 2000 23:52:20 -0600 (MDT)
Knowing the history is truely immaterial. Bu tthe synopsis of what you're
saying is: to fix the potential KDC spoofing problem, we chose a solution
of convenience and, although it can be shown to be inadequate, we're not
about to change it because it's been like that for a while. By that
argument, why bother fixing any security problem. The fact it, it IS still
possible to spoof the KDC without compromising either the KDC or the local
host. It's not as easy, but it IS possible. However, we don't care! Perhaps
OpenBSD should drop its claim of makign security its top priority. Or at
least, Kerberos support should be dropped from the default install. This
is a security hole which can be eliminated in a backward-compatible fashion
but you're not interested.
> it's clear you don't know the history of this.
> the original Kerberized distribution of telnetd did NOT verify the TGT,
> until someone pointed out how trivial it was to spoof a KDC response to a
> server calling get_in_pw_tkt() to bypass "Kerberized login". the feature
> you mention then showed up in Kerberos code #ifdef'd PARANOID, but has
> been a standard feature of Kerberized daemons performing Kerberos password
> authentication for many years.
> "rcmd" was used as the principal, because almost all hosts had an instance
> of it corresponding to a key in their srvtab. this has nothing to do with
> the use of a short hostname as the instance, though.
Yup, I do. So what? It fixes a problem which can not be fixed with the current
method. It causes no further problem. Who cares if the limit's been known for
years? Who cares if it's addressed in (the mythical) krb5? This IS the same
as saying: don't fix ftp because scp solves the problem. Whether or not you
wish to see the similariy, it IS the same! Even when krb5 appears, the bug still
exists for those who continue to use krb4. In that case, put PARANOID back in
so that we can remove this stupid and essentially worthless check.
Am I a bit disgruntled? You bet. Why? Other than having had a bad day, you
really haven't given me anything besides history and emotion for refusing
to consider fixing this bug. Remember: for those who wish to keep the current
behaviour, they can. For those who wish security, they would have a real option.
> now, you suggest a special case of instance naming for this particular
> check, requiring a new key on the server apart from what people have
> always used. sorry, but this particular namespace limitation in krb4 has
> been well-known for many years, and has been adequately addressed in krb5.
> > I guess inherently I'd like to see OpenBSD correct its mistake by
> > divorcing the KDC validation mechanism from the "machine service"
> > mechanism accessed using "real" Kerberos authentication.
If I chose to allow ticket passing for authentication, the right place to fix
it is in phost. I don't chose to allow ticket passing. I wish ONLY to validate
a given password against a Kerberos database but I can't do that in a secure
fashion because you chose to propogate the name space collision to an area
where it need not exist. Verifying the validity of the KDC has nothing to do
with phost except that you chose to make it dependent on a known existing bug.
And because you can't fix it in the original place, you decide not to fix it
Don't worry. We're close to the end. Persistence will win out. You've almost
convinced me that Kerberos in OpenBSD is worthless until such a time if and
when krb5 is supported. Then we'll see what creative solutions will exist.
I still believe in Kerberos. I just don't believe in it in OpenBSD.
> you're missing even your own point. the problem you're seeing is a
> namespace collision between keys of hosts of the same name in your realm.
> this problem will manifest itself in more than the KDC spoof check, you'll
> see it in ordinary service requests from client to servers as well - and
> how do you propose to fix that? the right place to do it, as i said
> before, is in get_phost(), but as i also noted, you'd have to do more than
> that if you wanted to support the original instance naming scheme as well.
Antoine Verheijen Email: Antoine_(_dot_)_Verheijen_(_at_)_UAlberta_(_dot_)_CA
CNS Network Services Phone: (403) 492-9312
University of Alberta Fax: (403) 492-1729
Visit your host, monkey.org