Vulnerable to Zanarotti attack #3
Description
As the MIT Kerberos docs say
Whenever a program grants access to a resource (such as a local login session on a desktop computer) based on a user successfully getting initial Kerberos credentials, it must verify those credentials against a secure shared secret (e.g., a host keytab) to ensure that the user credentials actually originate from a legitimate KDC. Failure to perform this verification is a critical vulnerability, because a malicious user can execute the “Zanarotti attack”: the user constructs a fake response that appears to come from the legitimate KDC, but whose contents come from an attacker-controlled KDC.
In other words: since omniauth-kerberos does not provide any way to verify the providence of the user credentials, it is vulnerable to spoofing the KDC.