Kerberos authentication without reverse lookup

Fredrik Tolf fredrik at dolda2000.com
Tue Jan 18 15:14:30 EST 2005


On Mon, 2005-01-17 at 16:49 -0500, Rachel Elizabeth Dillon wrote:
> On Mon, Jan 17, 2005 at 04:40:59AM +0100, Fredrik Tolf wrote:
> > I was thinking about adding local hints to our own reverse zones to
our
> > Bind configs to make reverse lookups work just between our own
networks,
> > but that will be extremely difficult at best, since he has a dynamic
IP.
> > We can figure out how to update the forward zones when his IP
changes,
> > but since updating the reverse zones involves creating an entire new
> > zone each time, that solution feels a bit hopeless... :-(
> 
> Making a new zone is not particularly harder than updating an existing
> sone. It will lead to a bunch of useless reverse zone files, but you
could
> write a script to clean those up too. I am assuming that you are
running
> your own DNS servers here; if not, I am not sure what you would do. If
> you are running your own DNS server, you still have to tread
carefully 
> when making yourself the primary source of reverse DNS information,
but
> I think you should be able to do it. (You should even be able to set
up
> something that does the updates automatically; I would use Net::DNS
in 
> Perl to do this, but I am sure there are plenty of fine solutions.)

Correct me if I'm wrong now, but it still seems like a rather large
thing to do, since a new zone will have to be created every time. To me,
it seems like I have to write a script suite that
1. Detects when the IP address changes (OK, I'd have to do that anyway),
2. Updates named.conf automatically,
3. Creates a new zone file, populates it and
4. Notifies a script on the other domain remotely, which then in turn
updates the hint info in the other domain's named.conf, by creating and
populating a new hint zone.

If you know of a better way to fix that, please do tell me. =)

However,

> > So, is there anyone who has experienced a similar situation before
and
> > solved it? Is there, by any chance, another way of letting Kerberos
> > canonicalize service principal names?
> 
> I've never had to deal with this personally, nor do I know of another
way 
> to canonicalize service principal names; I just happen to have been
doing
> a lot of work with DNS recently. :) 

I came up with a fairly simple solution that would be  to add, to inetd
on each host, a simple program that just echoes to the connecting host
what that host's perception of its own FQDN is. Then I'd write a simple
nsswitch module for gethostbyaddr (possibly with some kind of config
file so that it never tries for hosts that aren't supposed to be part of
this) that connects to this service on the address that it is supposed
to canonicalize.

As I see it, it should work with no security problems. I'm not sure,
though, so if anyone can see a problem with this scheme, could you
please tell me?





More information about the Kerberos mailing list