krb5 commit: Add a flag to prevent all host canonicalization

Greg Hudson ghudson at MIT.EDU
Fri Sep 6 01:02:55 EDT 2013


https://github.com/krb5/krb5/commit/60edb321af64081e3eb597da0256faf117c9c441
commit 60edb321af64081e3eb597da0256faf117c9c441
Author: Greg Hudson <ghudson at mit.edu>
Date:   Thu Sep 5 18:30:02 2013 -0400

    Add a flag to prevent all host canonicalization
    
    If dns_canonicalize_hostname is set to false in [libdefaults],
    krb5_sname_to_principal will not canonicalize the hostname using
    either forward or reverse lookups.
    
    ticket: 7703 (new)

 doc/admin/conf_files/krb5_conf.rst |   10 +++++++++-
 src/include/k5-int.h               |    2 ++
 src/lib/krb5/krb/init_ctx.c        |    5 +++++
 src/lib/krb5/os/sn2princ.c         |    2 +-
 4 files changed, 17 insertions(+), 2 deletions(-)

diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst
index 6fa94e7..ff6a861 100644
--- a/doc/admin/conf_files/krb5_conf.rst
+++ b/doc/admin/conf_files/krb5_conf.rst
@@ -185,6 +185,13 @@ The libdefaults section may contain any of the following relations:
     clients from taking advantage of new stronger enctypes when the
     libraries are upgraded.
 
+**dns_canonicalize_hostname**
+    Indicate whether name lookups will be used to canonicalize
+    hostnames for use in service principal names.  Setting this flag
+    to false can improve security by reducing reliance on DNS, but
+    means that short hostnames will not be canonicalized to
+    fully-qualified hostnames.  The default value is true.
+
 **dns_lookup_kdc**
     Indicate whether DNS SRV records should be used to locate the KDCs
     and other servers for a realm, if they are not listed in the
@@ -302,7 +309,8 @@ The libdefaults section may contain any of the following relations:
 **rdns**
     If this flag is true, reverse name lookup will be used in addition
     to forward name lookup to canonicalizing hostnames for use in
-    service principal names.  The default value is true.
+    service principal names.  If **dns_canonicalize_hostname** is set
+    to false, this flag has no effect.  The default value is true.
 
 **realm_try_domains**
     Indicate whether a host's domain components should be used to
diff --git a/src/include/k5-int.h b/src/include/k5-int.h
index 5119e66..f84fbd8 100644
--- a/src/include/k5-int.h
+++ b/src/include/k5-int.h
@@ -207,6 +207,7 @@ typedef INT64_TYPE krb5_int64;
 #define KRB5_CONF_DISABLE                     "disable"
 #define KRB5_CONF_DISABLE_LAST_SUCCESS        "disable_last_success"
 #define KRB5_CONF_DISABLE_LOCKOUT             "disable_lockout"
+#define KRB5_CONF_DNS_CANONICALIZE_HOSTNAME   "dns_canonicalize_hostname"
 #define KRB5_CONF_DNS_LOOKUP_KDC              "dns_lookup_kdc"
 #define KRB5_CONF_DNS_LOOKUP_REALM            "dns_lookup_realm"
 #define KRB5_CONF_DNS_FALLBACK                "dns_fallback"
@@ -1175,6 +1176,7 @@ struct _krb5_context {
 
     krb5_boolean allow_weak_crypto;
     krb5_boolean ignore_acceptor_hostname;
+    krb5_boolean dns_canonicalize_hostname;
 
     krb5_trace_callback trace_callback;
     void *trace_callback_data;
diff --git a/src/lib/krb5/krb/init_ctx.c b/src/lib/krb5/krb/init_ctx.c
index 3f4aad4..252596d 100644
--- a/src/lib/krb5/krb/init_ctx.c
+++ b/src/lib/krb5/krb/init_ctx.c
@@ -210,6 +210,11 @@ krb5_init_context_profile(profile_t profile, krb5_flags flags,
         goto cleanup;
     ctx->ignore_acceptor_hostname = tmp;
 
+    retval = get_boolean(ctx, KRB5_CONF_DNS_CANONICALIZE_HOSTNAME, 1, &tmp);
+    if (retval)
+        goto cleanup;
+    ctx->dns_canonicalize_hostname = tmp;
+
     /* initialize the prng (not well, but passable) */
     if ((retval = krb5_c_random_os_entropy( ctx, 0, NULL)) !=0)
         goto cleanup;
diff --git a/src/lib/krb5/os/sn2princ.c b/src/lib/krb5/os/sn2princ.c
index b3de663..86a0762 100644
--- a/src/lib/krb5/os/sn2princ.c
+++ b/src/lib/krb5/os/sn2princ.c
@@ -86,7 +86,7 @@ krb5_sname_to_principal(krb5_context context, const char *hostname, const char *
 
         /* copy the hostname into non-volatile storage */
 
-        if (type == KRB5_NT_SRV_HST) {
+        if (type == KRB5_NT_SRV_HST && context->dns_canonicalize_hostname) {
             struct addrinfo *ai = NULL, hints;
             int err;
             char hnamebuf[NI_MAXHOST];


More information about the cvs-krb5 mailing list