Kerberos, an ancient network authentication protocol from the 1980s that is commonly used to this day, can get you into some serious trouble.
The Kerberos setup used by your organization may not be all it’s cracked up to be.
Some myths run deep in the IT industry. It turns out, such is the case with Kerberos. The truth about security implications of using vanilla Kerberos is buried deep within its documentation.
Never mind, the esteemed MIT (Massachusetts Institute of Technology) keeps pushing new releases of their implementation of Kerberos. Their latest update was published less than two weeks ago. Their official project website treats you to this statement:
The Internet is an insecure place. Many of the protocols used in the Internet do not provide any security. Tools to “sniff” passwords off of the network are in common use by malicious hackers. (…)
As if they were trying to say “You are safe when using Kerberos”. But is that really so?
Not likely, at least not without further ado.
Brian H₂O’s (@int10h) had this to say via Twitter after diving into Kerberos:
@CloudInsidr yeah, because krb by itself only auths the client/server at the moment of handshake. there is not tunnel after, like ssl/ssh
— Brian H₂O’s (@int10h) March 7, 2016
Wow. Talk about surprises.
This looks like a serious case of IT “malpractice” and disinformation on the part of organizations advocating the use of Kerberos.
What if… what if this architectural flaw is somehow not an oversight, not a bug but a so-called “feature”?
@CloudInsidr not really. it wasn’t designed for tunneling. you can still do it, though. ssh w/ krb auth via gssapi does this.
— Brian H₂O’s (@int10h) March 7, 2016
Good to know. Is it worth the effort, then? (You decide.)
Thanks to Brian H₂O’s (@int10h) for this enlightening exchange!
Leave a Reply