Thank you for the detailed explanation. I know for the "Kerb-roasting"
hacking technique, if you avoid the weak KRB5 ciphers (3des-cbc,
arcfour-hmac), that thwarts this attack.
If we limit our KRB5 encryption algorithms to only strong cyphers (AES128
and AES256), would that thwart the above SSSD attack?
Also, our KRB5 tickets expire every 10 hrs.
On Sat, Mar 20, 2021 at 6:43 PM Pawel Polawski <ppolawsk(a)redhat.com> wrote:
The KCM module mentioned in article was introduced in SSSD 1.15.3 
Latest RHEL7 version is 7.9 with SSSD 1.16.5
Latest RHEL8 version is 8.3.0 with SSSD 2.3.0
Last RHEL7 version without KCM module implemented in SSSD was RHEL 7.3
with SSSD 1.14
RHEL8 uses KCM by default, where RHEL7 is using KEYRING by default.
For more information about KCM in SSSD you can check KCM design documents
Quoting the linked article:
"With the right Kerberos tickets, it is possible to move laterally to the
rest of the Active Directory domain.
If a privileged user authenticates to a compromised Linux system (such as
a Domain Admin) and leaves
a ticket behind, it would be possible to steal that user's ticket and
obtain privileged rights in the Active Directory domain."
I would say that no matter if KCM is used or not, if the attacker has root
access to the machine which is part of the domain
this is already a security concern. Using tools described in article it is
possible to decrypt KCM disk cache and extract
access tokens. If a privileged user will authenticate on a machine
controlled by the attacker his access tokens will be stolen.
Restrictive access policies inside the domain can make reusing those
stolen tokens harder for attacker.
On Sat, Mar 20, 2021 at 4:06 AM Spike White <spikewhitetx(a)gmail.com>
> Is this a security concern for the sssd version on RHEL7 & 8? I.e., if a
> hacker acquires root on one low-value asset, can move laterally to more
> high-value assets?
> Spike White
> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> Do not reply to spam on the list, report it:
Senior Software Engineer
Red Hat <https://www.redhat.com/>
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
Do not reply to spam on the list, report it: