Uploaded image for project: 'I&AM Kerberos'
  1. KRB-12

As a security-conscious user, I want to have mutual authentication which cannot be compromised by DNS spoofing

    Details

    • Type: Story
    • Status: Moved to Trello (View workflow)
    • Priority: Normal
    • Resolution: Unresolved
    • Affects versions: None
    • Fix versions: None
    • Components: None
    • Labels:
      None
    • Sprint:

      Description

      Kerberos authentication typically provides mutual authentication, meaning the server is authenticated to the client as well as the client to the server. Authenticating the server has taken on increasing importance in Internet security. Unfortunately, Kerberos's mutual authentication is gravely weakened when the client depends on insecure DNS to canonicalize the server hostname.

      In release 1.12 we added the ability to set dns_canonicalize_hostname=False, which closes this loophole by preventing all DNS canonicalization. But it is not enabled by default and it imposes a convenience burden on users; they cannot even take advantage of the domain search path.

      One approach to mitigating this problem is described here:

      http://k5wiki.kerberos.org/wiki/Projects/Trust_KDC-local_name_resolution

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              Greg Hudson (Inactive)
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:

                Who's Looking?