krb5 commit: Add a flag to prevent all host canonicalization
Greg Hudson
ghudson at MIT.EDU
Fri Sep 6 01:02:55 EDT 2013
https://github.com/krb5/krb5/commit/60edb321af64081e3eb597da0256faf117c9c441
commit 60edb321af64081e3eb597da0256faf117c9c441
Author: Greg Hudson <ghudson at mit.edu>
Date: Thu Sep 5 18:30:02 2013 -0400
Add a flag to prevent all host canonicalization
If dns_canonicalize_hostname is set to false in [libdefaults],
krb5_sname_to_principal will not canonicalize the hostname using
either forward or reverse lookups.
ticket: 7703 (new)
doc/admin/conf_files/krb5_conf.rst | 10 +++++++++-
src/include/k5-int.h | 2 ++
src/lib/krb5/krb/init_ctx.c | 5 +++++
src/lib/krb5/os/sn2princ.c | 2 +-
4 files changed, 17 insertions(+), 2 deletions(-)
diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst
index 6fa94e7..ff6a861 100644
--- a/doc/admin/conf_files/krb5_conf.rst
+++ b/doc/admin/conf_files/krb5_conf.rst
@@ -185,6 +185,13 @@ The libdefaults section may contain any of the following relations:
clients from taking advantage of new stronger enctypes when the
libraries are upgraded.
+**dns_canonicalize_hostname**
+ Indicate whether name lookups will be used to canonicalize
+ hostnames for use in service principal names. Setting this flag
+ to false can improve security by reducing reliance on DNS, but
+ means that short hostnames will not be canonicalized to
+ fully-qualified hostnames. The default value is true.
+
**dns_lookup_kdc**
Indicate whether DNS SRV records should be used to locate the KDCs
and other servers for a realm, if they are not listed in the
@@ -302,7 +309,8 @@ The libdefaults section may contain any of the following relations:
**rdns**
If this flag is true, reverse name lookup will be used in addition
to forward name lookup to canonicalizing hostnames for use in
- service principal names. The default value is true.
+ service principal names. If **dns_canonicalize_hostname** is set
+ to false, this flag has no effect. The default value is true.
**realm_try_domains**
Indicate whether a host's domain components should be used to
diff --git a/src/include/k5-int.h b/src/include/k5-int.h
index 5119e66..f84fbd8 100644
--- a/src/include/k5-int.h
+++ b/src/include/k5-int.h
@@ -207,6 +207,7 @@ typedef INT64_TYPE krb5_int64;
#define KRB5_CONF_DISABLE "disable"
#define KRB5_CONF_DISABLE_LAST_SUCCESS "disable_last_success"
#define KRB5_CONF_DISABLE_LOCKOUT "disable_lockout"
+#define KRB5_CONF_DNS_CANONICALIZE_HOSTNAME "dns_canonicalize_hostname"
#define KRB5_CONF_DNS_LOOKUP_KDC "dns_lookup_kdc"
#define KRB5_CONF_DNS_LOOKUP_REALM "dns_lookup_realm"
#define KRB5_CONF_DNS_FALLBACK "dns_fallback"
@@ -1175,6 +1176,7 @@ struct _krb5_context {
krb5_boolean allow_weak_crypto;
krb5_boolean ignore_acceptor_hostname;
+ krb5_boolean dns_canonicalize_hostname;
krb5_trace_callback trace_callback;
void *trace_callback_data;
diff --git a/src/lib/krb5/krb/init_ctx.c b/src/lib/krb5/krb/init_ctx.c
index 3f4aad4..252596d 100644
--- a/src/lib/krb5/krb/init_ctx.c
+++ b/src/lib/krb5/krb/init_ctx.c
@@ -210,6 +210,11 @@ krb5_init_context_profile(profile_t profile, krb5_flags flags,
goto cleanup;
ctx->ignore_acceptor_hostname = tmp;
+ retval = get_boolean(ctx, KRB5_CONF_DNS_CANONICALIZE_HOSTNAME, 1, &tmp);
+ if (retval)
+ goto cleanup;
+ ctx->dns_canonicalize_hostname = tmp;
+
/* initialize the prng (not well, but passable) */
if ((retval = krb5_c_random_os_entropy( ctx, 0, NULL)) !=0)
goto cleanup;
diff --git a/src/lib/krb5/os/sn2princ.c b/src/lib/krb5/os/sn2princ.c
index b3de663..86a0762 100644
--- a/src/lib/krb5/os/sn2princ.c
+++ b/src/lib/krb5/os/sn2princ.c
@@ -86,7 +86,7 @@ krb5_sname_to_principal(krb5_context context, const char *hostname, const char *
/* copy the hostname into non-volatile storage */
- if (type == KRB5_NT_SRV_HST) {
+ if (type == KRB5_NT_SRV_HST && context->dns_canonicalize_hostname) {
struct addrinfo *ai = NULL, hints;
int err;
char hnamebuf[NI_MAXHOST];
More information about the cvs-krb5
mailing list