You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Whenever a program grants access to a resource (such as a local login session on a desktop computer) based on a user successfully getting initial Kerberos credentials, it must verify those credentials against a secure shared secret (e.g., a host keytab) to ensure that the user credentials actually originate from a legitimate KDC. Failure to perform this verification is a critical vulnerability, because a malicious user can execute the “Zanarotti attack”: the user constructs a fake response that appears to come from the legitimate KDC, but whose contents come from an attacker-controlled KDC.
In other words: since omniauth-kerberos does not provide any way to verify the providence of the user credentials, it is vulnerable to spoofing the KDC.
The text was updated successfully, but these errors were encountered:
As the MIT Kerberos docs say
In other words: since omniauth-kerberos does not provide any way to verify the providence of the user credentials, it is vulnerable to spoofing the KDC.
The text was updated successfully, but these errors were encountered: