Kerberos authentication without reverse lookup
Ken Raeburn
raeburn at MIT.EDU
Mon Jan 24 17:13:13 EST 2005
On Jan 19, 2005, at 12:44, Donn Cave wrote:
>> I'm sorry if I'm wrong, but doesn't getaddrinfo get ai_canonname by
>> doing a reverse lookup? When I tried it out, at least that is what
>> happened.
>
> It depends on the platform. The GNU getaddrinfo implementation
> does. I'm assuming AI_CANONNAME in ai_flags.
Yeah, the GNU one is just broken that way.
> NetBSD 2.0, AIX 5.2 don't, they stop at what you'd get from
> gethostbyname() -- they look up CNAME aliases but don't
> look up the IP PTR.
Yes, I think they're closer (at least) to getting it right.
Maybe not quite there... the NetBSD one didn't look thread-safe at a
glance, though I may have missed something, and thread safety is part
of the spec of the function. I don't have AIX 5.2 to test with, but
4.3.3 had some issues we had to work around, too.
> Also might be worth mentioning that the MIT implementation
> also uses this in several places, though in the critical
> sname_to_principal() function it uses getnameinfo for the
> lookup.
>
> Secure DNS would be nice for all this.
Yup, we've got problems to address in this area. Can't do it for 1.4,
though.
Ken
More information about the Kerberos
mailing list