On Mon, Apr 20, 2020, at 10:09 AM, Andreas Hasenack wrote:
Hi,
I'm wondering why krb5_validate defaults to false in sssd-krb5, and
apparently it's the same default in the mit kerberos libraries (via
verify_ap_req_nofail). It should solve the KDC impersonation attack,
at the expense of a slightly more complicated setup (create the host
principal, extract key, create keytab). Is it because of this added
difficulty in setting up things, or does it not work on very common
scenarios/applications? Or just one of those hard to do transitions?
In my option, krb5_validate is broken. It chooses the name on first key in the keytab to
attempt validation, rather than either the newest or the one matching ldap_sasl_authid (or
an equivalent setting.) This causes issues where a host may have previously had a service
principal but it got reassigned to another host, or due to renaming a host without
removing the old name from the keytab. (RH support considered it "not a bug.")
V/r,
James Cassell