Kerberos behavior in the presence of multiple PTR records

Greg Hudson ghudson at MIT.EDU
Thu Mar 14 21:39:56 EDT 2013

On 03/14/2013 07:08 PM, Yury Sulsky wrote:
> I'm not sure I understand. The function [krb5_sname_to_principal] takes
> a candidate hostname (or calls [gethostname] if that argument is NULL),
> and performs a forward lookup using [getaddrinfo]. It then takes the
> canonical name and IP address stored in the first addrinfo record and
> checks that that DNS has a reverse mapping from that IP address to that
> canonical name, otherwise it fails.

krb5_sname_to_principal takes whatever answer it gets from the reverse
lookup and uses that as the canonical hostname (after converting it to
lowercase and chopping off any trailing dot).  There is no check to see
if that result is the same as the forward lookup.  Take a look at what
happens to the remote_host variable after the getnameinfo call.

More information about the Kerberos mailing list