Kerberos behavior in the presence of multiple PTR records
Will Fiveash
will.fiveash at oracle.com
Fri Mar 15 15:24:14 EDT 2013
On Thu, Mar 14, 2013 at 09:39:56PM -0400, Greg Hudson wrote:
> On 03/14/2013 07:08 PM, Yury Sulsky wrote:
> > I'm not sure I understand. The function [krb5_sname_to_principal] takes
> > a candidate hostname (or calls [gethostname] if that argument is NULL),
> > and performs a forward lookup using [getaddrinfo]. It then takes the
> > canonical name and IP address stored in the first addrinfo record and
> > checks that that DNS has a reverse mapping from that IP address to that
> > canonical name, otherwise it fails.
>
> krb5_sname_to_principal takes whatever answer it gets from the reverse
> lookup and uses that as the canonical hostname (after converting it to
> lowercase and chopping off any trailing dot). There is no check to see
> if that result is the same as the forward lookup. Take a look at what
> happens to the remote_host variable after the getnameinfo call.
Note that Solaris krb has never used reverse lookup in
krb5_sname_to_principal() and in the current source:
#if !defined(DEFAULT_RDNS_LOOKUP)
/* Solaris Kerberos */
#define DEFAULT_RDNS_LOOKUP 0
#endif
--
Will Fiveash
Oracle Solaris Software Engineer
More information about the Kerberos
mailing list