A Talk about MS-SFU Kerberos

A Talk about MS-SFU Kerberos
Slide Note
Embed
Share

Investigate the importance of S4U2Self and Constrained Delegation in Kerberos extensions, focusing on how they work, recent vulnerabilities, and implementation suggestions for Samba. Delve into S4U2Proxy, Cross Realm S4U2Self, and more.

  • Kerberos
  • Extensions
  • Samba
  • Security
  • Vulnerabilities
lsout
lsout Follow

Uploaded on Feb 18, 2025 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.

Download Presentation

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.

E N D

Presentation Transcript

  1. A Talk about MS-SFU Kerberos Extensions: Protocol Transition (S4U2Self) & Constrained Delegation (S4U2Proxy). Isaac Boukris SambaXP 2019

  2. Agenda Why S4U2Self is important for Samba. How does it work in local and cross realm. Recent CVEs related to S4U2Self. A couple of words on S4U2Proxy and RBCD.

  3. What is S4U2Self and why you should care Any server providing resources needs to have a mean to authenticate the user and to get a the list of groups the user is member of for authorization. Usually user s password is required to get user s token (Kerberos or NTLM). Any other authentication schemes (TLS, OTP, name it) can t get us a token. LDAP is the problem - not the solution. The consensus on Samba ML is that the best solution is S4U2Self. Supports enterprise-names and and X509 certificates. We can and should implement S4U2Self within winbind!

  4. How does it work PA-FOR-USER. PA-S4U-X509-USER - only implemented in MIT. Cross Realm S4U2Self - only implemented in MIT. TODOs: Porting S4U code from MIT to Heimdal. Add test coverage to Samba MIT build.

  5. MS-SFU 2.2.1 PA- FOR-USER: The PA-FOR-USER padata value is protected with the help of a *keyed* checksum, as defined below...

  6. CVEs related to S4U2Self Samba CVE-2018-16853: A user in a Samba AD domain can crash the MIT KDC by requesting an S4U2Self ticket. https://github.com/samba-team/samba/commit/6ab51b2af90f5dca11b8587b2a16215ab4497069 https://github.com/samba-team/samba/commit/6c453aeb0c771d14fe501e9a37d9f51b9403872b MIT Kerberos CVE-2018-20217: Reachable Assertion. If an attacker can obtain a krbtgt ticket using an older encryption type (single-DES, triple-DES, or RC4), the attacker can crash the KDC by making an S4U2Self request. https://github.com/krb5/krb5/commit/94e5eda5bb94d1d44733a49c3d9b6d1e42c74def Samba CVE-2018-16860 / Microsoft CVE-2019-0734: S4U2Self with unkeyed checksums. https://github.com/samba-team/samba/commit/43958af1d50f0185e21e6cd74110c455ee8996af A python tool for intercepting and manipulating Kerberos packets, can be used to test KDC handling of unkeyed S4U2Self requests: https://github.com/iboukris/S4U/blob/master/kintercept/kintercept.py

Related


SFU Library - Assignment Support

SFU Library - Assignment Support

callahan
Locksmith in Ireland

Locksmith in Ireland

Tejaswini
SFU LIBRARY ORIENTATION

SFU LIBRARY ORIENTATION

mehmet
Library Technician at Simon Fraser University: A Career Overview

Library Technician at Simon Fraser University: A Career Overview

ishaan
Implementing Red Hat Identity Management (IPA) for Improved Identity Management and Access Control

Implementing Red Hat Identity Management (IPA) for Improved Identity Management and Access Control

minna
The Art of Small Talk: Navigating Social Situations with Ease

The Art of Small Talk: Navigating Social Situations with Ease

perry
Salinity in Seawater: Density, Composition, and Variations

Salinity in Seawater: Density, Composition, and Variations

kyliann
Structured & Speedy Research Case Competition Training Program - Spring 2024

Structured & Speedy Research Case Competition Training Program - Spring 2024

schroth_j
Secure Usage of Kibana & ElasticSearch in Multi-User Environments

Secure Usage of Kibana & ElasticSearch in Multi-User Environments

thoennes_s
Talk-Line: A Helpline for Students in Grades 3-5

Talk-Line: A Helpline for Students in Grades 3-5

fian643
Expert Tips for Delivering a 15-Minute Talk Effectively

Expert Tips for Delivering a 15-Minute Talk Effectively

acull
Effective Scientific Talk Presentation Tips

Effective Scientific Talk Presentation Tips

taon203
Post-Secondary Scholarship Information and Admission Requirements Overview

Post-Secondary Scholarship Information and Admission Requirements Overview

acone
Kerberos Authentication in Network Security

Kerberos Authentication in Network Security

pcapp
Kerberos Authentication Protocol

Kerberos Authentication Protocol

bri_pr
Practical Aspects of Modern Cryptography: November 2016

Practical Aspects of Modern Cryptography: November 2016

stripling_d
History of Delhi Sultanate (A.D. 1200 - A.D. 1526) Presentation

History of Delhi Sultanate (A.D. 1200 - A.D. 1526) Presentation

mlang
SFU Physics: Cutting-Edge Research Advancements

SFU Physics: Cutting-Edge Research Advancements

ewer_via
How to give a great research talk

How to give a great research talk

brer477
Origins and Use of Kerberos in Distributed Systems

Origins and Use of Kerberos in Distributed Systems

yadier_c

More Related Content