Ubuntu Server Guide Changes, errors and bugs
Download 1.27 Mb. Pdf ko'rish
|
ubuntu-server-guide
SSSD and KDC spoofing
When using SSSD to manage kerberos logins on a Linux host, there is an attack scenario you should be aware of: KDC spoofing. The objective of the attacker is to login on a workstation that is using Kerberos authentication. Let’s say he knows john is a valid user on that machine. The attacker first deploys a rogue KDC server in the network, and creates the john principal there with a password of his choosing. What he has to do now is to have his rogue KDC respond to the login request from the workstation, before (or instead of) the real KDC. If the workstation isn’t authenticating the KDC, it will accept the reply from the rogue server and let john in. There is a configuration parameter that can be set to protect the workstation from this attack. It will have SSSD authenticate the KDC, and block the login if the KDC cannot be verified. This option is called krb5_validate, and it’s false by default. To enable it, edit /etc/sssd/sssd.conf and add this line to the domain section: 233 [ s s s d ] c o n f i g _ f i l e _ v e r s i o n = 2 domains = example . com [ domain / example . com ] i d _ p r o v i d e r = l d a p . . . k r b 5 _ v a l i d a t e = True The second step is to create a host principal on the KDC for this workstation. This is how the KDC’s authenticity is verified. It’s like a “machine account”, with a shared secret that the attacker cannot control and replicate in his rogue KDC..The host principal has the format host/ After the host principal is created, its keytab needs to be stored on the workstation. This two step process can be easily done on the workstation itself via kadmin (not kadmin.local) to contact the KDC remotely: $ sudo kadmin −p ubuntu /admin kadmin : a d d p r i n c −randkey h o s t / ldap−krb−c l i e n t . example .com@EXAMPLE.COM WARNING: no p o l i c y s p e c i f i e d f o r h o s t / ldap−krb−c l i e n t . example .com@EXAMPLE.COM; d e f a u l t i n g t o no p o l i c y P r i n c i p a l ” h o s t / ldap−krb−c l i e n t . example .com@EXAMPLE.COM” c r e a t e d . kadmin : ktadd −k / e t c / krb5 . keytab h o s t / ldap−krb−c l i e n t . example . com Entry f o r p r i n c i p a l h o s t / ldap−krb−c l i e n t . example . com with kvno 6 , e n c r y p t i o n type aes256 −c t s −hmac−sha1 −96 added t o keytab WRFILE: / e t c / krb5 . keytab . Entry f o r p r i n c i p a l h o s t / ldap−krb−c l i e n t . example . com with kvno 6 , e n c r y p t i o n type aes128 −c t s −hmac−sha1 −96 added t o keytab WRFILE: / e t c / krb5 . keytab . Then exit the tool and make sure the permissions on the keytab file are tight: sudo chmod 0600 / e t c / krb5 . keytab sudo chown r o o t : r o o t / e t c / krb5 . keytab You can also do it on the KDC itself using kadmin.local, but you will have to store the keytab temporarily in another file and securely copy it over to the workstation. Once these steps are complete, you can restart sssd on the workstation and perform the login. If the rogue KDC picks the attempt up and replies, it will fail the host verification. With debugging we can see that happening on the workstation: ==> / var / l o g / s s s d / k r b 5 _ c h i l d . l o g <== (Mon Apr 20 1 9 : 4 3 : 5 8 2 0 2 0 ) [ [ s s s d [ k r b 5 _ c h i l d [ 2 1 0 2 ] ] ] ] [ v a l i d a t e _ t g t ] ( 0 x0020 ) : TGT f a i l e d v e r i f i c a t i o n u s i n g key f o r [ h o s t / ldap−krb−c l i e n t . example . com@EXAMPLE.COM] . (Mon Apr 20 1 9 : 4 3 : 5 8 2 0 2 0 ) [ [ s s s d [ k r b 5 _ c h i l d [ 2 1 0 2 ] ] ] ] [ get_and_save_tgt ] ( 0 x0020 ) : 1 7 4 1 : [ − 1 7 6 5 3 2 8 3 7 7 ] [ S e r v e r h o s t / ldap−krb−c l i e n t . example . com@EXAMPLE.COM not found i n Ker be ro s d a t a b a s e ] And the login is denied. If the real KDC picks it up, however, the host verification succeeds: ==> / var / l o g / s s s d / k r b 5 _ c h i l d . l o g <== (Mon Apr 20 1 9 : 4 6 : 2 2 2 0 2 0 ) [ [ s s s d [ k r b 5 _ c h i l d [ 2 2 6 8 ] ] ] ] [ v a l i d a t e _ t g t ] ( 0 x0400 ) : TGT v e r i f i e d u s i n g key f o r [ h o s t / ldap−krb−c l i e n t . example .com@EXAMPLE.COM ] . And the login is accepted. 234 |
Ma'lumotlar bazasi mualliflik huquqi bilan himoyalangan ©fayllar.org 2024
ma'muriyatiga murojaat qiling
ma'muriyatiga murojaat qiling