[OpenAFS-devel] Aklog/krb5 mappings

Ken Hornstein kenh@cmf.nrl.navy.mil
Wed, 06 Jul 2005 17:11:56 -0400


>For AFS, the problem is made somewhat worse by the fact that we construct 
>usernames by concatenating the V4 name and instance with a dot, but only 
>when the instance has non-zero length.  This behavior depends on the 
>premise that a V4 principal name will never contain a ".".  While krb524d 
>is broken and does not enforce this restriction, the V5 ticket handling 
>code in rxkad does.  The reasoning is the same as above -- mapping multiple 
>distinct V5 principals to the same AFS username could result in all sort of 
>nasty security problems.

This is going to be my last message on this topic, honest.

- Clearly neither of the two open-source Kerberos implementations consider
  this a security problem, as they do not perform this checking.  If it
  was a "nasty security problem", we'd see CERT warnings issued and patches
  to correct the problem.

- This could only conceivably be an issue if you allow users to create
  arbitrary principal names.  I know that CMU allows users to create
  arbitrary instances for some strange reason, but even you have to
  admit that this is a rather uncommon practice.  For sites that don't
  allow users to create arbitrary principals, the only thing this check
  accomplishes is that it breaks things for V5 sites that have created
  principals with "." in their names (it doesn't even do a mapping to
  something else; it just silently rejects them!)

--Ken