• Information Security Office
• Secure Computing
• For Personal Computer Users
• Best Practices for Macintosh OS X
• Kerberos identities and Internet Connection Sharing

Kerberos identities and Internet Connection Sharing

Internet Connection Sharing may permit unauthorized access to network resources

IT Services has recently discovered an issue with MacOSX 10.2 (Jaguar) Internet Connection Sharing that can result in unexpected access to Stanford resources protected by s/ident & Kerberos. The issue is not restricted to MacOSX users; any operating system that obtains an IP address and network connectivity from a machine performing Network Address Translation may be subject to this condition.

MacOSX 10.2 (Jaguar) includes a feature called Internet Connection Sharing, an implementation of Network Address Translation (NAT). NAT allows a user to share his or her IP address with other systems, giving more than one device access to the network without requiring the use of more network addresses. Windows XP contains the same capability.

Stanford relies on s/ident & Kerberos to manage user authentication and access to network resources. In order to simplify authentication throughout Stanford’s network, UNIX Kerberos, PC-Leland and MacLeland use a utility called s/ident, which allows a client machine to verify its identity based on its IP address. In a NAT environment, every machine behind the shared connection is effectively able to identify itself as the machine that is providing the shared connection. s/ident in its current implementation is not aware of Network Address Translation.

If you enable Internet Connection Sharing on your OSX or WinXP system (or any other operating system capable of providing this service), you make it possible for anyone using the shared connection to access your email and other Kerberos-protected resources. NAT’ted machines will assume your Kerberos identity.

This is not a bug in the host operating systems, nor is it a bug in Stanford's Kerberos system. NAT, s/ident and Kerberos are individually working as designed, but collectively causing an unexpected problem. There is no patch available to fix this issue. Administrators and users are strongly encouraged to ensure that Internet Connection Sharing is not enabled, to avoid inappropriate disclosure of information or access to confidential resources.

While this issue is not specific to Mac OS X, it’s particularly easy to inadvertently enable Internet Connection Sharing on that platform, so it’s the focus of this report.

Identifying Machines at Risk

In this discussion, the host machine is the device providing network access via Internet Connection Sharing or other NAT implementations. Clients are machines accessing the network through the shared connection.

We discuss MacOSX 10.2 (Jaguar) and WinXP specifically because of the ease with which Internet sharing can be enabled. Earlier releases of OSX and OS9, as well as Windows 2000 and earlier, can provide Internet sharing, but the functionality requires additional software and configuration, and are therefore less likely to inadvertently provide the service without deliberate action from a system administrator. You can identify machines running Internet Sharing in a variety of ways: directly, by looking at the processes running on MacOSX 10.2 systems or Windows XP boxes; or indirectly, by discovering clients with network addresses in the default range used by Mac and WinXP Internet Sharing, and then using them to identify the machine acting as their DHCP server.

To determine whether or not your Mac is running Internet Sharing, open System Preferences --> Sharing, and select the Internet tab, which indicates whether or not sharing is enabled.

Alternatively, on MacOSX you can use the Process Viewer or the Terminal Application (from Applications --> Utilities) to look for natd, the process that starts up when Internet Sharing is enabled. If you want to use the Process Viewer, you can narrow your search by entering “natd” in the Find window.

If you prefer the Terminal Application, enter the following command once you’ve started it:

ps | grep natd

On Windows XP, right-click on My Network Places and select Properties. If any of the network connections include the word shared in their descriptions, the XP system is vulnerable:

You may be alerted to the presence of Internet Sharing/NAT on your network because a user may be having problems accessing campus resources.

The DHCP addresses provided through ITSS are publicly routable addresses, typically beginning with 171.64.xxx.xxx (for the campus network) or 128.12.xxx.xxx (for the dorms). If you find a system with a non-routable network address (192.168.x.x, especially 192.168.2.xxx; or 10.0.xxx.xxx, especially 10.0.2.xxx) on your network then it's a good bet there is a NAT server somewhere on that same subnet. Remember that the NAT server is the machine that is subject to having its Kerberos identity compromised.

You can determine which system on your subnet is running the NAT service by performing the following:

1. Go to a machine that has acquired one of the 192.168.x.x addresses.
2. Examine the address of the default gateway (which should be the machine running the NAT daemon).
3. Ping the default gateway from the DHCP client machine.
4. If the ping succeeds, check the ARP cache to get the hardware address:

MacOS X: Open Terminal.app from Applications --> Utilities, and run this command:

arp <ip address>

Windows: Open Command Prompt from Start --> Programs --> Accessories and run this command:

arp –a <ip address>

What should you do? Immediately disable the Internet Sharing service as soon as it's discovered, by unselecting the Internet Sharing checkbox on OSX or by unselecting Internet Connection Properties on the Advanced tab of the network connections properties box on WinXP. Talk to the user and find out why it was enabled originally.

Locations at Risk

Machines on and off campus are at risk if they run UNIX Kerberos, PC-Leland or MacLeland and use Internet Connection Sharing.

Applications at Risk:

Any Kerberos-enabled application running on the DHCP client systems will assume the identity of the host and be able to access authenticated resources.

This includes but is not confined to: authenticated Web servers such as http://webmail.stanford.edu, stanfordwho, mystanford, etc.

Mitigating Factors

The risk of assumed identities is particularly significant on MacOSX and WinXP because of the ease of enabling Internet Connection Sharing. However in a few special cases, the user will receive warnings before the service is enabled. These special cases include enabling connection sharing on a single-homed machine with an Ethernet network interface (the message states “enabling connection sharing violates the appropriate use policy of many Internet Service Providers”).

The risk of inadvertent identity sharing is lower in home environments than on Stanford’s campus, because many high-speed home connections use network address translation within the ISP infrastructure. s/ident validation fails in an environment with multiple NAT gateways.