From Bugzilla Helper: User-Agent: Mozilla/4.76 [fr] (X11; U; SunOS 5.8 sun4u) Description of problem: I have three machines named kdcmaster, ldapmaster and ldapclient running Redhat Linux 7.3 : 1- kdcmaster is my kerberos KDC. There I created users principals and ldap service principal (ldap/ldapmaster.mydomain.com). The only host principal is kdcmaster itself (no host principals for ldapmaster nor for ldapclient). The KDC works fine. 2- ldapmaster is my LDAP server. It works fine and it responds to ldapsearch commands. The userPassword attribute is of the form {KERBEROS}username and /etc/openldap/ldap.keytab contains the keytab of the ldap service principal. 3- ldapclient is a host for users. Here is my problem. Just running authconfig on ldapclient and enabling LDAP lets a user in the kerberos database to authenticate. ("ssh -l username ldapclient" makes ldapclient send the request to ldapmaster which uses the ldap service principal to talk to kdcmaster). This means that authentication succeeds on any machine configured as an LDAP client, even if the machine is unknown to the KDC. Since any user can easily configure his machine (a laptop for example) as a LDAP client, this represents for me a breach of security. When a user is authenticated on host ldapclient, kinit shows the following : klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_500) Kerberos 4 ticket cache: /tmp/tkt500 klist: You have no tickets cached How is it possible to authenticate on host ldapclient knowing that ldapclient has no host principal on kdcmaster? Is there any way to set up things so that authentication on ldapclient is successful only if ldapclient has a host principal on kdcmaster? Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: see the description Actual Results: spoofing at the client side is possible Expected Results: clients not in KDC will NOT authenticate Additional info:
Since this report we've released an update to Krb5 for Red Hat Linux 7.3. Please can you try these packages and report if this fixes the issue: http://rhn.redhat.com/errata/RHSA-2003-051.html
no response, assumed fixed by erratum. Please reopen if not.