[krbdev.mit.edu #8925] [Comment] qualify_shortname default can be harmful in LAN setups
Greg Hudson via RT
rt-comment at krbdev.mit.edu
Thu Jul 9 16:46:29 EDT 2020
https://krbdev.mit.edu/rt/Ticket/Display.html?id=8925
This is a comment. It is not sent to the Requestor(s):
Measures I have considered so far:
* Implement canonicalization fallback for keytab search, as Heimdal does in its
hostname canonicalization framework. If we did this, we might be able to get
away with a qualify_shortname="" default, sacrificing the TGS convenience.
* Using getaddrinfo(gethostname()) to construct the local FQDN, regardless of
dns_canonicalize_hostname value, under the theory that the local hostname will
be listed in /etc/hosts. This wouldn't solve the GSS acceptor name case because
we don't specifically know we're getting the local FQDN (unless we compared the
supplied hostname to gethostname(), but that seems like it would create other
edge cases). Also, I checked a few hosts under my control and found that one of
them did not list the local hostname in /etc/hosts (so "hostname -f" goes to
DNS).
We might also consider delaying any transformation of the hostname until
krb5_get_credentials/krb5_kt_et_entry time, so that we remember the original
value. In the LAN case, hostname.ispdomain probably does not resolve, whereas
the hostname alone does, so early shortname qualification gets in the way of
fallback. Heimdal does this in its hostname canonicalization framework unless
there is a single canonicalization rule of "nss". (Well, more or less; it still
removes trailing dots immediately.)
More information about the krb5-bugs
mailing list