Hi Andrew, I'm back on this bug since I'm updating the server guide for the 20.04 release.
Again I didn't add krb5_validate to the guide, mostly because I had forgotten about this bug here. The new guide is at https://discourse.ubuntu.com/t/service-sssd/11579 Let me see if I got the attack scenario right, please correct me where needed. I know a certain workstation has a user called al...@example.com, and I want to login as that user. That workstation has no host principal on the KDC. I setup a kdc of my own with a laptop, create al...@example.com on it, and get ready to spoof the real KDC. I attempt to login as al...@example.com, with a password of my choosing. Since I setup the fake KDC with the fake account, I can use any password I want. If the fake KDC responds to the login request before the real one, and krb5_validate is false on the workstation, no host keytab verification is done, and alice can login. Is the above the scenario? -- You received this bug notification because you are a member of Ubuntu Server, which is subscribed to sssd in Ubuntu. https://bugs.launchpad.net/bugs/1777776 Title: Ubuntu documentation for sssd/kerberos does not authenticate authentication server To manage notifications about this bug go to: https://bugs.launchpad.net/serverguide/+bug/1777776/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
