Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!sdd.hp.com!spool.mu.edu!snorkelwacker.mit.edu!stanford.edu!ATHENA.MIT.EDU!tytso From: tytso@ATHENA.MIT.EDU (Theodore Ts'o) Newsgroups: comp.protocols.kerberos Subject: Re: setup of kerberos Message-ID: <9104082204.AA27326@tsx-11.MIT.EDU> Date: 8 Apr 91 22:04:23 GMT References: Sender: news@shelby.stanford.edu (USENET News System) Reply-To: tytso@athena.mit.edu Organization: Internet-USENET Gateway at Stanford University Lines: 37 Date: 8 Apr 91 19:54:11 GMT From: pallas@eng.sun.com (Joseph Pallas) It's hard to see how this "opens up" a security hole. Either Kerberos depends on host addresses or it doesn't. If it does, there's a security hole. If it doesn't, forwarding tickets won't create one. While it is true that the TCP/IP addresses can be faked on the host, if you're on the same subnet (Ethernet LAN), both machines will complain when they see packets coming from the same TCP/IP address but different ethernet addresses. If you're coming from a different subnet, the routers won't route the packets to you, unless you play some really horrible routing games, which will probably be noticed since it will cause some lossage of network connectivity as routes get played around. So while "a typical undergraduate" might be able to change a hosts TCP/IP address, it probably would be noticed quickly. Certainly I would be suspicious if I saw duplicate IP address messages on my console window. In contrast, if someone can grab your tickets from your workstation and use them on another workstation, there would be virtually no way of detecting this use. At least with the duplicate IP address, there is some hope of noticing what's going on. Or if you have forwardable tickets, and you leave your workstation unprotected for a second, a ticket thief could quickly run a program which stashed forwarded tickets on another workstation and you would be none the wiser. The thief could copy your tickets, but if the IP address is there, it makes it that much harder to use the stolen tickets without detection. The right answer, of course, is to make sure that your tickets don't get stolen. Unfortunately, asking users to lock their workstations and secure their operating systems is a lot like asking people to choose good passwords or to wear seat belts.... - Ted