[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Kerberos4 and check-ticket-addresses



Andreas Haupt <ahaupt@ifh.de> writes:

>> From what I can see the ka-server doesn't check addresses, you might want
>> to disable it only for v4 compatibility.  but leave on for kerberos 5
>> requests. This requires patching in the kdc (kdc/kerberos4.c, look for line
>> with check_ticket_addressses).
>
> OK, I found the place. But what are the security impacts for Kerberos5
> when leaving it switched off generally?

That if someone steals the ticket it can be used on another
host/ip-address. Kerberos 5 support forwarding the ticket, ie checking out
a new ticket with the new addresses in it.

>> Is it users behind NAT that have the problem or some other application ?
>
> No, it is very simple to reproduce. After you connected to another machine
> via e.g. ssh your forwarded Kerberos4 tgt is not usable any more (see
> error message above). AFS kaserver does not seem to check this at all. We
> see this problem now for the first time.

Oh, forwarding tickets isn't really supported in Kerberos 4, it just works
with kaserver since kaserver doesn't check the address in the ticket.

Love