Skip to content
This repository has been archived by the owner on Feb 24, 2024. It is now read-only.

checkPassword is insecure #31

Open
macosforgebot opened this issue Jan 25, 2014 · 6 comments
Open

checkPassword is insecure #31

macosforgebot opened this issue Jan 25, 2014 · 6 comments
Assignees
@cyrusdaboo
Labels
Defect P3: Important Security
Milestone
Later

Comments

@macosforgebot
Copy link

res@… originally submitted this as ticket:833

The python-kerberos checkPassword() method is badly insecure. It does a kinit (AS-REQ) to ask a KDC for a TGT for the given user principal, and interprets the success or failure of that as indicating whether the password is correct. It does not, however, verify that it actually spoke to a trusted KDC: an attacker may simply reply instead with an AS-REP which matches the password he just gave you.

Imagine you were verifying a password using LDAP authentication rather than Kerberos: you would, of course, use TLS in conjunction with LDAP to make sure you were talking to a real, trusted LDAP server. The same requirement applies here. kinit is not a password-verification service.

The usual way of doing this is to take the TGT you've obtained with the user's password, and then obtain a ticket for a principal for which the verifier has keys (e.g. a web server processing a username/password form login might get a ticket for its own HTTP/host@REALM principal), which it can then verify. Note that this requires that the verifier have its own Kerberos identity, which is mandated by the symmetric nature of Kerberos (whereas in the LDAP case, the use of public-key cryptography allows anonymous verification).

If this is not implemented, the documentation should at least indicate that there is no protection against KDC spoofing attacks here.
@macosforgebot
Copy link
Author

@wsanchez originally submitted this as comment:1:⁠ticket:833

@macosforgebot
Copy link
Author

@cyrusdaboo originally submitted this as comment:8:⁠ticket:833

  • Status changed from new to closed
  • Resolution set to Documentation changed

Added comments on checkPassword in r13268.

@macosforgebot
Copy link
Author

@wsanchez originally submitted this as comment:9:⁠ticket:833

  • Status changed from closed to reopened
  • Resolution Documentation changed deleted

Hrm, I wanna re-open this. I'd suggest we rename checkPassword to checkPassword_insecure so that it's clearly marked as a bad idea, and maybe made private (leading underbar or something).

But unless fixing the implementation as suggested doesn't make sense, I think this bug should stay open.

@macosforgebot macosforgebot added this to the Later milestone Aug 4, 2016
@HariSekhon
Copy link

What is the implication of using this method for infrastructure testing & monitoring?

KDC spoofing might result in a false positive that infrastructure is online but would it result in credential compromise given Krb is designed to run over untrusted networks and only hashes timestamps and tickets instead of sending the actual pw/hashes? Is there any way it could lead to TGT theft or similar?

ajs124 added a commit to helsinki-systems/nixpkgs that referenced this issue Jun 23, 2022
@ajs124
offlineimap: remove optional insecure kerberos dependency
5fec5eb 
was marked insecure in c8dbbe5
because of apple/ccs-pykerberos#31
dotlambda pushed a commit to dotlambda/nixpkgs that referenced this issue Jun 30, 2022
@ajs124 @dotlambda
offlineimap: remove optional insecure kerberos dependency
74b1228 
was marked insecure in c8dbbe5
because of apple/ccs-pykerberos#31

(cherry picked from commit 5fec5eb)
dotlambda pushed a commit to dotlambda/nixpkgs that referenced this issue Jun 30, 2022
@ajs124 @dotlambda
offlineimap: remove optional insecure kerberos dependency
722b883 
was marked insecure in c8dbbe5
because of apple/ccs-pykerberos#31

(cherry picked from commit 5fec5eb)
dotlambda pushed a commit to NixOS/nixpkgs that referenced this issue Jul 3, 2022
@ajs124 @dotlambda
offlineimap: remove optional insecure kerberos dependency
71d047b 
was marked insecure in c8dbbe5
because of apple/ccs-pykerberos#31

(cherry picked from commit 5fec5eb)
@bjornfor
Copy link

Link to CVE entry about this security issue: https://www.cvedetails.com/cve/CVE-2015-3206/

@mohitbaviskar1999
Copy link

@cyrusdaboo are you still working on this issue ?

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@cyrusdaboo cyrusdaboo

Labels
Defect P3: Important Security
Projects
None yet
Milestone
Later
Development

No branches or pull requests
5 participants
@bjornfor @HariSekhon @cyrusdaboo @macosforgebot @mohitbaviskar1999