bug: krb5_get_host_realm() no longer uses DNS
Richard E. Silverman
res at qoxp.net
Sat May 15 04:14:58 EDT 2010
Somewhere between 1.5.4 and 1.8.1, this code was removed from
krb5_get_host_realm() and moved to krb5_get_fallback_host_realm():
#ifdef KRB5_DNS_LOOKUP
if (_krb5_use_dns_realm(context)) {
cp = local_host;
do {
retval = krb5_try_realm_txt_rr("_kerberos", cp, &realm);
cp = strchr(cp,'.');
if (cp)
cp++;
} while (retval && cp && cp[0]);
}
#endif /* KRB5_DNS_LOOKUP */
... leaving krb5_get_host_realm() unable to use the DNS for realm
mapping. Since the functions most used for obtaining tickets, in
lib/krb5/krb/gc_frm_kdc.c, use krb5_get_fallback_host_realm(), clients
still work -- but servers can break. If a server determines its realm via
a TXT record, e.g. for gss_acquire_cred(), then it now fails where it
worked in earlier versions (this has bitten me with OpenSSH).
Am I missing something, or is this just a bug?
--
Richard Silverman
res at qoxp.net
More information about the Kerberos
mailing list