Bug 77264 - problem with kerberos and ldap authentication
problem with kerberos and ldap authentication
Status: CLOSED ERRATA
Product: Red Hat Linux
Classification: Retired
Component: openldap (Show other bugs)
7.3
i686 Linux
medium Severity medium
: ---
: ---
Assigned To: Nalin Dahyabhai
Jay Turner
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2002-11-04 09:56 EST by Zouhir HAFIDI
Modified: 2015-01-07 19:01 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2003-06-30 03:45:43 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Zouhir HAFIDI 2002-11-04 09:56:23 EST
From Bugzilla Helper:
User-Agent: Mozilla/4.76 [fr] (X11; U; SunOS 5.8 sun4u)

Description of problem:
I have three machines named kdcmaster, ldapmaster and ldapclient running
Redhat Linux 7.3 :

1- kdcmaster is my kerberos KDC. There I created users principals and
ldap service principal (ldap/ldapmaster.mydomain.com). The only host
principal is kdcmaster itself (no host principals for ldapmaster nor
for ldapclient). The KDC works fine.

2- ldapmaster is my LDAP server. It works fine and it responds to ldapsearch
commands. The userPassword attribute is of the form 
{KERBEROS}username@MYDOMAIN.COM and /etc/openldap/ldap.keytab contains
the keytab of the ldap service principal.

3- ldapclient is a host for users.

Here is my problem. Just running authconfig on ldapclient and enabling LDAP 
lets a user in the kerberos database to authenticate. ("ssh -l username
ldapclient" makes ldapclient send the request to ldapmaster which uses the 
ldap service principal to talk to kdcmaster). This means that authentication
succeeds on any machine configured as an LDAP client, even if the machine 
is unknown to the KDC.
Since any user can easily configure his machine (a laptop for example)
as a LDAP client, this represents for me a breach of security.

When a user is authenticated on host ldapclient, kinit shows the following :

klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_500)

Kerberos 4 ticket cache: /tmp/tkt500
klist: You have no tickets cached

How is it possible to authenticate on host ldapclient knowing that ldapclient
has no host principal on kdcmaster? 

Is there any way to set up things so that authentication on ldapclient
is successful only if ldapclient has a host principal on kdcmaster?


Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
see the description

Actual Results:  spoofing at the client side is possible

Expected Results:  clients not in KDC will NOT authenticate

Additional info:
Comment 1 Mark J. Cox (Product Security) 2003-04-23 07:05:42 EDT
Since this report we've released an update to Krb5 for Red Hat Linux 7.3. 
Please can you try these packages and report if this fixes the issue:

http://rhn.redhat.com/errata/RHSA-2003-051.html
Comment 2 Mark J. Cox (Product Security) 2003-06-30 03:45:43 EDT
no response, assumed fixed by erratum.  Please reopen if not.

Note You need to log in before you can comment on or make changes to this bug.