Kerberos authentication without reverse lookup
Donn Cave
donn at u.washington.edu
Wed Jan 19 12:44:44 EST 2005
In article <1106146833.13379.14.camel at pc7.dolda2000.com>,
Fredrik Tolf <fredrik at dolda2000.com> wrote:
> On Tue, 2005-01-18 at 18:45 -0500, Roland Dowdeswell wrote:
> > On 1106079270 seconds since the Beginning of the UNIX epoch
> > Fredrik Tolf wrote:
> > >
> >
> > >I came up with a fairly simple solution that would be to add, to inetd
> > >on each host, a simple program that just echoes to the connecting host
> > >what that host's perception of its own FQDN is. Then I'd write a simple
> > >nsswitch module for gethostbyaddr (possibly with some kind of config
> > >file so that it never tries for hosts that aren't supposed to be part of
> > >this) that connects to this service on the address that it is supposed
> > >to canonicalize.
> >
> > You could always do what Heimdal does which is use ai->ai_canonname
> > rather than performing a reverse lookup. Unfortunately, this strategy
> > is not followed by 3rd party vendors such as OpenSSH.
>
> I'm sorry if I'm wrong, but doesn't getaddrinfo get ai_canonname by
> doing a reverse lookup? When I tried it out, at least that is what
> happened.
It depends on the platform. The GNU getaddrinfo implementation
does. I'm assuming AI_CANONNAME in ai_flags.
NetBSD 2.0, AIX 5.2 don't, they stop at what you'd get from
gethostbyname() -- they look up CNAME aliases but don't
look up the IP PTR.
Also might be worth mentioning that the MIT implementation
also uses this in several places, though in the critical
sname_to_principal() function it uses getnameinfo for the
lookup.
Secure DNS would be nice for all this.
Donn Cave, donn at u.washington.edu
More information about the Kerberos
mailing list