Ubuntu documentation for sssd/kerberos does not authenticate authentication server

Bug #1777776 reported by Andrew Conway on 2018-06-20
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Ubuntu Server Guide
Undecided
Unassigned
sssd (Ubuntu)
Undecided
Unassigned

Bug Description

There is a security flaw in the Ubuntu documentation for using sssd with kerberos. It leaves out authentication of the authentication server. This is easy to fix.

Following the documentation will result in a system that seems to work (apart from known bug https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1723350) in the sense that someone can log in, but it would be easy for an attacker to impersonate the authentication server, and thus gain unauthorised access to any computer set up according the documentation.

Solution:
 (1) When creating the file /etc/sssd/sssd.conf, add the line "krb5_validate = true"
 (2) Make sure that /etc/krb5.keytab is valid.

Step (1) is missing from all documentation. Step (2) is present in some, but not all, pages.

This affects (that I found) the following pages:

https://help.ubuntu.com/community/SingleSignOn (has valid /etc/krb5.keytab already)
https://wiki.ubuntu.com/Enterprise/Authentication/sssd (no mention of /etc/krb5.keytab)

I believe it also affects the following, but I do not use active directory and cannot check.

https://help.ubuntu.com/lts/serverguide/sssd-ad.html.en

I believe one should probably also add in /etc/sssd/sssd.conf a line to set krb5_use_fast for security reasons, although I do not understand this option well enough to comment definitively.

This applies to all versions, including 18.04.

information type: Private Security → Public Security
Andreas Hasenack (ahasenack) wrote :

Any idea why upstream sets krb5_validate to false by default? I presume because this would require the extra step of creating a service ticket for the host where the login happened, if I understood it correctly?

Andreas Hasenack (ahasenack) wrote :

And, is sssd's krb5_validate option overriding krb5 library's verify_ap_req_nofail?

If this flag is true, then an attempt to verify initial credentials will fail if the client machine does not have a keytab. The default value is false.

Andrew Conway (acubuntuone) wrote :

I don't know why krb5_validate is false by default. I thought it was historical or to (dubiously) to make setting up easier, but I did some tests and found, to my surprise, that even with it not set, I could not log in without an /etc/krb5.keytab file.

In particular, I tried all 6 combinations of krb5_validate {set or not set} and /etc/krb5.keytab being { empty, valid, valid but for a different kdc }. I found that I could never log in without some /etc/krb5.keytab. With a valid (but inconsistent with the actual responding kerberos server) key, it required the flag be not set in order to log in (this is the scenario for an attacker). With the correct /etc/krb5.keytab you could log in regardless of krb5_validate.

So it sounds as if sssd overrides verify_ap_req_nofail to true even if krb5_validate is false, which is surprising.

So the only breaking case I see of having krb5_validate default on would be if the system has an /etc/krb5.conf from a different kerberos system, which seems unlikely.

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers