on sending a kerberos keytab to the client machine

David Magda dmagda at ee.ryerson.ca
Mon Sep 24 20:14:38 CEST 2012


On Mon, September 24, 2012 12:58, Thomas Lange wrote:
>>>>>> On Mon, 3 Sep 2012 22:40:08 +0200, "Andreas B. Mundt"
>>>>>> <andi.mundt at web.de> said:
>
>     >   * Add the MAC addresses of all machines to be installed to
>     >     dhcpd.conf.  You have to make sure that nobody in the network
>     >     can fake a MAC address if you do that by some automatic means.
>
>     > Did I miss something?
>
> Yes. You _can_ fake MAC addresses easily :-(
> I don't know how to prevent this. Maybe setting fixed MAC addresse on
> every port of your switch. But this will be a lot of work, and some
> (or maybe most) switches can be fooled by MAC address flooding.

Not necessarily a lot of work. Some switches allow you to specify the
maximum number of MAC address on a switch (auto-learning them), and once
that number has been reached, no other MACs will be paid attention to:

http://www.hp.com/rnd/device_help/help/hpwnd/webhelp/HPJ4121A/security_perports.htm
http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/31sg/configuration/guide/port_sec.html#wp1070234

This still doesn't solve MAC spoofing, but it tends to be an obscure
enough feature that for the "casual attacker" it will throw a reasonable
curve ball.


At the end of the day, if you need to really be secure, you need to have
some kind of state on the client machine (Kerberos password, 802.1x
credentials, etc.)--which generally doesn't exist on a clean image.




More information about the linux-fai mailing list