What are the issues with dns_lookup_realm ?
Brian Candler
B.Candler at pobox.com
Mon Oct 4 07:01:41 EDT 2010
In the admin guide at
http://web.mit.edu/Kerberos/krb5-1.6/krb5-1.6.3/doc/krb5-admin.html#Mapping-Hostnames-onto-Kerberos-Realms
it says:
"The second mechanism [for mapping hostnames onto Kerberos realms] works by
looking up the information in special TXT records in the Domain Name
Service. This is currently not used by default because security holes could
result if the DNS TXT records were spoofed"
Can you point me to further information on what these security issues are,
and how big a risk they might pose, so as to be able to make an informed
judgement as to whether to turn this on?
Let's say I have a user on workstation pc.foo.example.com, who wants to
ssh to server.bar.example.com. Both are in realm EXAMPLE.COM, and I declare
this in the DNS using
example.com. IN TXT "EXAMPLE.COM"
Both machines have dns_lookup_realm = true and default_realm = EXAMPLE.COM
in krb5.conf
(1) What DNS lookups are made by the workstation and/or the server when a
connection takes place?
(2) Could any of the DNS responses take precedence over the default_realm
specified in the config file for either the client or the server? (*)
(3) What's the worst that could happen if someone managed to insert a
spoofed TXT record in one of the responses?
(4) Kerberos also relies on reverse DNS to map IP address to hostname (and
hence to realm, either by domain_realm rules or by another DNS lookup). Are
the security issues with dns_lookup_realm any more severe than those already
inherent in IP to hostname lookups?
Thanks,
Brian Candler.
(*) The documentation for default_realm is unclear. It says:
"If this is not specified and the TXT record lookup is enabled (see Using
DNS), then that information will be used to determine the default realm"
which implies to me that the TXT record *won't* be looked up if you define
default_realm, even if dns_lookup_realm is true.
However, experimentation suggests that if I have dns_lookup_realm = true,
and I omit the TXT record from the DNS, then authentication doesn't work.
This is with krb5 1.3.4 from CentOS 4.6 and 4.4
More information about the Kerberos
mailing list