[Bug 1777776] Re: Ubuntu documentation for sssd/kerberos does not authenticate authentication server
Andreas Hasenack
andreas at canonical.com
Mon Apr 20 13:40:06 UTC 2020
Hi Andrew, I'm back on this bug since I'm updating the server guide for
the 20.04 release.
Again I didn't add krb5_validate to the guide, mostly because I had
forgotten about this bug here. The new guide is at
https://discourse.ubuntu.com/t/service-sssd/11579
Let me see if I got the attack scenario right, please correct me where
needed.
I know a certain workstation has a user called alice at EXAMPLE.COM, and I
want to login as that user. That workstation has no host principal on
the KDC.
I setup a kdc of my own with a laptop, create alice at EXAMPLE.COM on it,
and get ready to spoof the real KDC.
I attempt to login as alice at EXAMPLE.COM, with a password of my choosing.
Since I setup the fake KDC with the fake account, I can use any password
I want. If the fake KDC responds to the login request before the real
one, and krb5_validate is false on the workstation, no host keytab
verification is done, and alice can login.
Is the above the scenario?
--
You received this bug notification because you are a member of Ubuntu
Server, which is subscribed to sssd in Ubuntu.
https://bugs.launchpad.net/bugs/1777776
Title:
Ubuntu documentation for sssd/kerberos does not authenticate
authentication server
To manage notifications about this bug go to:
https://bugs.launchpad.net/serverguide/+bug/1777776/+subscriptions
More information about the Ubuntu-server-bugs
mailing list