krb5 commit [krb5-1.11]: Document principal name interactions with DNS
Tom Yu
tlyu at MIT.EDU
Sun Dec 16 21:30:36 EST 2012
https://github.com/krb5/krb5/commit/6bd03b61eecb0f76da4c02d47bdf9d2611ea2054
commit 6bd03b61eecb0f76da4c02d47bdf9d2611ea2054
Author: Tom Yu <tlyu at mit.edu>
Date: Mon Dec 10 00:21:15 2012 -0500
Document principal name interactions with DNS
Add princ_dns.rst to document the interactions of host-based Keberos
service principal names and DNS.
(cherry picked from commit 85c378e9e44ca184209056f118e75b6511cb40b8)
ticket: 7498
version_fixed: 1.11
status: resolved
doc/admin/index.rst | 1 +
doc/admin/princ_dns.rst | 113 +++++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 114 insertions(+), 0 deletions(-)
diff --git a/doc/admin/index.rst b/doc/admin/index.rst
index b27354a..fb27237 100644
--- a/doc/admin/index.rst
+++ b/doc/admin/index.rst
@@ -14,6 +14,7 @@ For administrators
host_config.rst
backup_host.rst
pkinit.rst
+ princ_dns.rst
.. toctree::
:maxdepth: 1
diff --git a/doc/admin/princ_dns.rst b/doc/admin/princ_dns.rst
new file mode 100644
index 0000000..0f5662b
--- /dev/null
+++ b/doc/admin/princ_dns.rst
@@ -0,0 +1,113 @@
+Principal names and DNS
+=======================
+
+Kerberos clients can do DNS lookups to canonicalize service principal
+names. This can cause difficulties when setting up Kerberos
+application servers, especially when the client's name for the service
+is different from what the service thinks its name is.
+
+
+Service principal names
+-----------------------
+
+A frequently used kind of principal name is the host-based service
+principal name. This kind of principal name has two components: a
+service name and a hostname. For example, ``imap/imap.example.com``
+is the principal name of the "imap" service on the host
+"imap.example.com". Other possible service names for the first
+component include "host" (remote login services such as ssh), "HTTP",
+and "nfs" (Network File System).
+
+Service administrators often publish well-known hostname aliases that
+they would prefer users to use instead of the canonical name of the
+service host. This gives service administrators more flexibility in
+deploying services. For example, a shell login server might be named
+"long-vanity-hostname.example.com", but users will naturally prefer to
+type something like "login.example.com". Hostname aliases also allow
+for administrators to set up load balancing for some sorts of services
+based on rotating ``CNAME`` records in DNS.
+
+
+Service principal canonicalization
+----------------------------------
+
+MIT Kerberos clients currently always do forward resolution (looking
+up the IPv4 and possibly IPv6 addresses using ``getaddrinfo()``) of
+the hostname part of a host-based service principal to canonicalize
+the hostname. They obtain the "canonical" name of the host when doing
+so. By default, MIT Kerberos clients will also then do reverse DNS
+resolution (looking up the hostname associated with the IPv4 or IPv6
+address using ``getnameinfo()``) of the hostname. Using the
+:ref:`krb5.conf(5)` setting
+
+ ::
+
+ [libdefaults]
+ rdns = false
+
+will disable reverse DNS lookup on clients. The default setting is
+"true".
+
+Operating system bugs may prevent a setting of ``rdns = false`` from
+disabling reverse DNS lookup. Some versions of GNU libc have a bug in
+``getaddrinfo()`` that cause them to look up ``PTR`` records even when
+not required. MIT Kerberos releases krb5-1.10.2 and newer have a
+workaround for this problem, as does the krb5-1.9.x series as of
+release krb5-1.9.4.
+
+
+Reverse DNS mismatches
+----------------------
+
+Sometimes, an enterprise will have control over its forward DNS but
+not its reverse DNS. The reverse DNS is sometimes under the control
+of the Internet service provider of the enterprise, and the enterprise
+may not have much influence in setting up reverse DNS records for its
+address space. If there are difficulties with getting forward and
+reverse DNS to match, it is best to set ``rdns = false`` on client
+machines.
+
+
+Overriding application behavior
+-------------------------------
+
+Applications can choose to use a default hostname component in their
+service principal name when accepting authentication, which avoids
+some sorts of hostname mismatches. Because not all relevant
+applications do this yet, using the :ref:`krb5.conf(5)` setting
+
+ ::
+
+ [libdefaults]
+ ignore_acceptor_hostname = true
+
+will allow the Kerberos library to override the application's choice
+of service principal hostname and will allow a server program to
+accept incoming authentications using any key in its keytab that
+matches the service name and realm name (if given). This setting
+defaults to "false" and is available in releases krb5-1.10 and later.
+
+
+Provisioning keytabs
+--------------------
+
+One service principal entry that should be in the keytab is a
+principal whose hostname component is the canonical hostname that
+``getaddrinfo()`` reports for all known aliases for the host. If the
+reverse DNS information does not match this canonical hostname, an
+additional service principal entry should be in the keytab for this
+different hostname.
+
+
+Specific application advice
+---------------------------
+
+Secure shell (ssh)
+~~~~~~~~~~~~~~~~~~
+
+Setting ``GSSAPIStrictAcceptorCheck = no`` in the configuration file
+of modern versions of the openssh daemon will allow the daemon to try
+any key in its keytab when accepting a connection, rather than looking
+for the keytab entry that matches the host's own idea of its name
+(typically the name that ``gethostname()`` returns). This requires
+krb5-1.10 or later.
More information about the cvs-krb5
mailing list