Proposed F19 Feature: Less Brittle Kerberos

Stef Walter stefw at redhat.com
Fri Feb 1 07:44:00 UTC 2013 

On 01/31/2013 10:35 PM, Kurt Seifried wrote:
> Can't reply on the wiki page, FAS is throwing a 500 server error when I
> try to log in.
> 
> 
> On Thu, Jan 31, 2013 at 4:47 AM, Jaroslav Reznik <jreznik at redhat.com
> <mailto:jreznik at redhat.com>> wrote:
> 
>     = Features/LessBrittleKerberos =
>     https://fedoraproject.org/wiki/Features/LessBrittleKerberos
> 
>     Feature owner(s): Stef Walter <stefw at redhat.com
>     <mailto:stefw at redhat.com>>
> 
>     Make kerberos in Fedora simpler to use by removing some of the
>     brittleness
>     that are common failure points. In particular we remove the need for
>     kerberos
>     clients to sync their clocks, and remove the need to have reverse
>     DNS records
>     carefully setup for services.
> 
>     == Detailed description ==
>     MIT kerberos 1.11 now contains work so that clients do not have to
>     sync their
>     system clocks with that of the KDC. A time offset is discovered
>     during preauth
>     and stored along with the local credentials. This removes a common
>     point of
>     failure when using kerberos.
> 
> 
> One concern, would this time offset be per server on the client, e.g. if
> people get used to this then a group of servers may all have varyingly
> wrong times (e.g. server A is 10 minutes fast, server B is 34 minutes
> slow and server C is only off by 2 seconds). 

It's stored per-realm on the client.

But yes, things do definitely get more complicated when servers with out
of sync times are involved. At this point, this feature is about
kerberos clients being out of sync, not servers.

This paper does outline some solutions for handling clock skew on
servers, and eventually we'll want to make sure we can handle this in a
robust and maintenance free way.

http://static.usenix.org/publications/compsystems/1996/win_davis.pdf

But for now, first step is to fix clock-skew for kerberos clients. This
has real benefits for Fedora users and

> Also mitm attacks again.

That's a very general statement so I'll ask for details. Have you found
realistic MITM attack(s) in krb5 1.11?

To be clear, the above paper was largely implemented a while back in MIT
krb5, but only recently did we complete the work to make encrypted
timestamp preauth work with clock skew.

Is the following email post related to your concerns? If so, see the
remainder of the discussion:

http://mailman.mit.edu/pipermail/krbdev/2012-April/010769.html

>     Kerberos clients can optionally verify reverse DNS records for
>     services that
>     they connect to as a way of trying to identify which realm they
>     belong to.
>     However in many cases these do not exist. Kerberos should fall back
>     to it's
>     default behavior in that case. Failure to do this is a common point
>     of failure
>     when using kerberos.
> 
> 
> would this for example cache data so that for example if the server has
> reverse DNS setup, then it stops woring the client warns the user (e.g.
> indicating a possible man in the middle attack)?

I don't think so. Apparently many (most?) kerberos implementations do
not look at reverse DNS data at all.

Cheers,

Stef

More information about the devel mailing list