Pawel,
Thank you for the detailed explanation. I know for the "Kerb-roasting" hacking technique, if you avoid the weak KRB5 ciphers (3des-cbc, arcfour-hmac), that thwarts this attack.
If we limit our KRB5 encryption algorithms to only strong cyphers (AES128 and AES256), would that thwart the above SSSD attack?
Also, our KRB5 tickets expire every 10 hrs.
Spike
On Sat, Mar 20, 2021 at 6:43 PM Pawel Polawski ppolawsk@redhat.com wrote:
Hi Spike,
The KCM module mentioned in article was introduced in SSSD 1.15.3 [1] Latest RHEL7 version is 7.9 with SSSD 1.16.5 Latest RHEL8 version is 8.3.0 with SSSD 2.3.0 Last RHEL7 version without KCM module implemented in SSSD was RHEL 7.3 with SSSD 1.14 RHEL8 uses KCM by default, where RHEL7 is using KEYRING by default. For more information about KCM in SSSD you can check KCM design documents [2].
Quoting the linked article: "With the right Kerberos tickets, it is possible to move laterally to the rest of the Active Directory domain. If a privileged user authenticates to a compromised Linux system (such as a Domain Admin) and leaves a ticket behind, it would be possible to steal that user's ticket and obtain privileged rights in the Active Directory domain."
I would say that no matter if KCM is used or not, if the attacker has root access to the machine which is part of the domain this is already a security concern. Using tools described in article it is possible to decrypt KCM disk cache and extract access tokens. If a privileged user will authenticate on a machine controlled by the attacker his access tokens will be stolen. Restrictive access policies inside the domain can make reusing those stolen tokens harder for attacker.
[1] https://sssd.io/docs/users/relnotes/notes_1_15_3 [2] https://sssd.io/docs/design_pages/kcm.html
Best regards, Pawel
On Sat, Mar 20, 2021 at 4:06 AM Spike White spikewhitetx@gmail.com wrote:
All,
https://www.fireeye.com/blog/threat-research/2020/04/kerberos-tickets-on-lin...
Is this a security concern for the sssd version on RHEL7 & 8? I.e., if a hacker acquires root on one low-value asset, can move laterally to more high-value assets?
Spike White _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
--
Paweł Poławski
Senior Software Engineer
Red Hat https://www.redhat.com/
ppolawsk@redhat.com @RedHat https://twitter.com/redhat Red Hat https://www.linkedin.com/company/red-hat Red Hat https://www.facebook.com/RedHatInc https://red.ht/sig _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure