Kerberos behavior in the presence of multiple PTR records

Will Fiveash will.fiveash at
Fri Mar 15 15:24:14 EDT 2013

On Thu, Mar 14, 2013 at 09:39:56PM -0400, Greg Hudson wrote:
> On 03/14/2013 07:08 PM, Yury Sulsky wrote:
> > I'm not sure I understand. The function [krb5_sname_to_principal] takes
> > a candidate hostname (or calls [gethostname] if that argument is NULL),
> > and performs a forward lookup using [getaddrinfo]. It then takes the
> > canonical name and IP address stored in the first addrinfo record and
> > checks that that DNS has a reverse mapping from that IP address to that
> > canonical name, otherwise it fails.
> krb5_sname_to_principal takes whatever answer it gets from the reverse
> lookup and uses that as the canonical hostname (after converting it to
> lowercase and chopping off any trailing dot).  There is no check to see
> if that result is the same as the forward lookup.  Take a look at what
> happens to the remote_host variable after the getnameinfo call.

Note that Solaris krb has never used reverse lookup in
krb5_sname_to_principal() and in the current source:

/* Solaris Kerberos */

Will Fiveash
Oracle Solaris Software Engineer

More information about the Kerberos mailing list