openssh/mit kerberos and numeric host address

Greg Hudson ghudson at MIT.EDU
Sun Apr 7 02:27:32 EDT 2013


On 04/06/2013 02:50 AM, 王剑 wrote:
> -    retval = krb5int_clean_hostname(context, host, local_host, sizeof local_host);
> -    if (retval)
> -     return retval;
> +    krb5int_clean_hostname(context, host, local_host, sizeof local_host);

Looking at the history of this code, the intent since krb5 1.3 has been
to forbid IP-address hostname components in host-based service
principals.  It happens that in krb5 1.6, we factored out the
numeric-address check and then neglected to check for errors when
calling the helper function.  But in krb5 1.3-1.5 and 1.7+, we return an
error.

KfW 3.2 was based on krb5 1.6.  OSX 10.6 may also use krb5 1.6 (I
believe the switch to Heimdal was in OSX 10.7).

All that said, I'm not sure why we should have this check.  If an
environment (such as yours) really wants to use numeric addresses in
service principals, I don't see why we should get in the way.  I'll
bring it up at our next team meeting and consider removing it.  I don't
think we'll go as far as creating an IP address prefix to realm mapping,
though.



More information about the Kerberos mailing list