On Active Attacks to Kerberos Telnet

2001-08-22, Simon Josefsson, RSA Laboratories

Abstract: We present a well-known and well-documented weakness against active attacks in the Telnet Authentication and Encryption Protocol framework, and discuss the consequences for Kerberos (version 4 and 5) Telnet. We recognize that the weakness can ultimately be used by a active attacker to fool Kerberos Telnet users in some implementations. We briefly describe the protocols involved, the weakness, and demonstrate how it can be used to impersonate a server. We conclude with a recommendation on how to solve the identified problem.

Available in HTML, PDF, and PS.

Patch: The following patch should fix the above problem in KTH Kerberos and Heimdal, whereby an active attacker can fool the Kerberos Telnet client into not encrypting any data, and ultimately also make you believe you are authenticating and encrypting a Telnet session to one server, while you are in fact talking to someone else (most likely the attacker).

Available in Patch for Heimdal v0.4d. Hopefully the patch applies to KTH Kerberos, later Heimdal releases as well as the versions in FreeBSD, NetBSD and OpenBSD as well.

Update 2002-02-13: An alternative, and probably better, solution is to switch to a Kerberos Telnet client that gives you more control over the authentication and encryption negotiation process, such as the Kermit Telnet client and Telnetd server. There is a security related page for it as well. Another client is the SRP Telnet client.

sjosefsson at rsasecurity.com