{"id":1043,"date":"2016-03-07T16:33:09","date_gmt":"2016-03-08T00:33:09","guid":{"rendered":"https:\/\/www.cloudinsidr.com\/content\/?p=1043"},"modified":"2016-03-22T14:15:20","modified_gmt":"2016-03-22T22:15:20","slug":"still-using-kerberos-authentication-now-you-have-a-reason-to-stop-it-does-not-keep-you-safe","status":"publish","type":"post","link":"https:\/\/www.cloudinsidr.com\/content\/still-using-kerberos-authentication-now-you-have-a-reason-to-stop-it-does-not-keep-you-safe\/","title":{"rendered":"Still using Kerberos Authentication? Now You Have a Reason to Stop: It Does NOT Keep Your Business Safe"},"content":{"rendered":"

Kerberos, an ancient network authentication protocol from the 1980s that is commonly used to this day, can get you into some serious trouble.<\/p>\n

The\u00a0Kerberos setup used by your organization may not be all it’s cracked up to be.<\/p>\n

<\/p>\n

Some myths run deep in the IT industry. It turns out, such is the case with Kerberos.\u00a0The truth about security implications of using vanilla Kerberos is buried deep within its\u00a0documentation.<\/p>\n

Never mind,\u00a0the esteemed\u00a0MIT<\/a> (Massachusetts Institute of Technology) keeps pushing\u00a0new releases of their implementation of Kerberos.\u00a0Their latest update was published\u00a0less than\u00a0two weeks\u00a0ago. Their\u00a0official\u00a0project\u00a0website<\/a>\u00a0treats you to\u00a0this statement:<\/p>\n

The Internet is an insecure place.<\/b> Many of the protocols used in the Internet do not provide any security. Tools to “sniff” passwords off of the network are in common use by malicious hackers. (…)<\/em><\/p><\/blockquote>\n

As if they were trying to say “You are safe when using\u00a0Kerberos”. But is that really so?<\/p>\n

Not likely, at least not without further ado.<\/p>\n

\"Brian<\/a><\/p>\n

Brian H\u2082O\u2019s (@int10h)<\/a> had this to say via Twitter after diving into Kerberos:<\/p>\n

\n

@CloudInsidr<\/a> yeah, because krb by itself only auths the client\/server at the moment of handshake. there is not tunnel after, like ssl\/ssh<\/p>\n

\u2014 Brian H\u2082O\u2019s (@int10h) March 7, 2016<\/a><\/p><\/blockquote>\n

Wow. Talk about surprises.<\/p>\n

This looks like a serious case of IT\u00a0“malpractice” and disinformation on the part of organizations advocating the use of Kerberos.<\/p>\n

What if… what if this architectural flaw is somehow\u00a0not an oversight, not a bug\u00a0but\u00a0a so-called “feature”?<\/p>\n

\n

@CloudInsidr<\/a> not really. it wasn’t designed for tunneling. you can still do it, though. ssh w\/ krb auth via gssapi does this.<\/p>\n

\u2014 Brian H\u2082O\u2019s (@int10h) March 7, 2016<\/a><\/p><\/blockquote>\n

Good to know. Is it worth the effort, then? (You decide.)<\/p>\n

Thanks to\u00a0Brian H\u2082O\u2019s<\/a>\u00a0(@int10h<\/span><\/a>) for this enlightening exchange!<\/p>\n