Is there a list of characters allowed to define a principal name and realm?

Marcus Watts mdw at umich.edu
Tue Jun 27 18:42:49 EDT 2006 

> To: kerberos at mit.edu
> Subject: Is there a list of characters allowed to define a principal name and
> 	realm?
> From: Julio Cesar Parra/Mexico/IBM <jcparra at mx1.ibm.com>
> Message-ID: <OF91EF90CF.B59C1603-ON8625719A.0077F114-8625719A.00787B3E at mx1.ibm.com>
> Date: Tue, 27 Jun 2006 17:01:13 -0500
> 
> Hola.. 
> 
> I'm defining some documentation of this two terms (principal name and 
> realm). And I'm wondering if there is any special characters allowed to 
> define a principal name and realm name ?
> 
> I know that the valid characters are case sensitive and include all 
> alpha-numeric characters (a-z, A-Z, 0-9). but I need to know if there are 
> more special characters that need to be considered.
> 
> Thanks in advance.
> 
> 
> *  Carpe diem
> Julio Cesar Parra Uribe    IBMMX(JCPARRA) 
> E-mail:   jcparra at mx1.ibm.com 
> T/L   877-2535 Ext phone:  (5233)3669-7000  Ext.  2535
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 

As far as I can tell, the kerberos source (mit and heimdal)
tries very hard to support "any printable ascii character",
or very nearly, "any ascii character".
When converting to/from printable form, krb5_parse_name
and krb5_unparse_name recognize these as special:
	@ - start realm
	/ - delimit name components
	\ - escape next character:
		\@ - embed @ in name or realm component
		\/ - embed / in name or realm component
		\0 - embed NUL
		\n - embed newline
		\t - embed tab
		\b - embed backspace
		\Z - embed Z (anything but 0ntb) in name or realm. (but
			for identity mapped characters, only
			space \ @ and / are escaped on output.)
	note: this means \v \r \f \x20 \177 not same as C.
There's an expectation (depending on configuration) that the realm name
might be looked up in DNS.

I believe shishi doesn't handle \0 \n \r \t \b .

RFC 4120 requires IA5String support, but flat out forbids \0 in realms,
and for other control characters says "SHOULD NOT" be used in principal
or realm names.  There are additional constraints on realm names;
the use of : or / in the realm indicates special behavior.

				-Marcus Watts

More information about the Kerberos mailing list