(RADIATOR) Patch for authenticating KDC response in AuthKRB5

[Erik Klavon]

Hi

A previous message sent to this mailing list 

 http://www.open.com.au/archives/radiator/2004-04/msg00008.html

describes a vulnerability in AuthKRB5.pm as currently implemented. Using
the work of a colleague - Mike Friedman - as a base, I have modified
AuthKRB5.pm to acquire credentials for a service principal. This process
addresses the concerns of the vulnerability described in the above
message. I have tested these modifications against both MIT Kerberos
and Active Directory.

The patch adds the following three new configuration keywords for
AuthKRB5.pm.

KrbKeyTab
This optional parameter provides the path to a Kerberos keytab
file. When this option is present, a service ticket will be obtained
as part of each Kerberos authentication attempt to guard against Key
Distribution Center spoofing. By default, the keytab is examined to
locate the key for the service radius/server at realm where server is
the fully qualified domain name of the machine running Radiator and
realm is the Kerberos realm used during authentication. The name of
the service may be overridden with the KrbService parameter, the
fully qualified domain name with the KrbServer parameter and the realm
with the KrbRealm parameter.

# Enable KDC spoof detection using service ticket
KrbKeyTab /etc/krb5-radius.keytab

KrbService
This optional parameter overrides the default value of "radius" for
the service name used when locating a key to obtain a service ticket
as part of Kerberos Key Distribution Center spoof detection. This
parameter has no effect unless the KrbKeyTab parameter is defined. See
the KrbKeyTab parameter for more information. This parameter should be
set to the service name of the service key obtained from your Kerberos
administrator.

# Service name for radius
KrbService radiusproxyauthenciation

KrbServer
This optional parameter overrides the default value of the fully
qualified domain name of the server running radiator when locating a
key to obtain a service ticket as part of Kerberos Key Distribution
Center spoof detection. This parameter has no effect unless the
KrbKeyTab parameter is defined. See the KrbKeyTab parameter for more
information. This parameter should be set to the hostname included in
the service key obtained from your Kerberos administrator.

# Hostname of the server
KrbServer radius.example.com

The patch also adds some additional logging and error checking to
AuthKRB5.pm. The patch is available at the following url.

 http://eriq.org/AuthKRB5.patch

Erik

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.