Strange behavior with mixed case host name/principal
Jafar Aliev
tubecleaner at gmail.com
Fri Apr 18 14:25:37 EDT 2025
Ken, thank you for the fast response.
Your answer almost fulfills my request. I'll incorporate extra checks
in our playbooks to strict hostname cases.
One small splinter will remain: why kerberos lib indicates error with
exact host principal name that it has in keytab.
p.s. My old RHEL 7.9 setup also doesn't have this problem: it
lowercase hostname before requests for tickets.
On Fri, Apr 18, 2025 at 8:30 PM Ken Hornstein <kenh at cmf.nrl.navy.mil> wrote:
>
> >Workarounds with sshd_conf
> >GSSAPIStrictAcceptorCheck no
> >or krb5.conf
> >ignore_acceptor_hostname = true
> >work well, but I want to keep a strict hostname check.
>
> Why, exactly? There are a few multi-homed situations where this
> can cause security issues but I don't think they apply here.
>
> There aren't wonderful solutions for this situation other than turning
> off strict acceptor checking. The DNS is case-PRESERVING, but
> case-insensitive in lookup, so "SERVER" and "server" are treated as
> being identical when it comes to hostname lookup. RFC 4120 recommends
> folding names to lowercase; that happens sometimes based on a particular
> Kerberos implementation (in MIT Kerberos that happens when the hostname
> is canonicalized in the function krb5_sname_to_principal() which is
> called by most higher-level APIs such as the GSSAPI).
>
> --Ken
--
Наилучшие пожелания,
Джафар Алиев
http://jafar.ru
More information about the Kerberos
mailing list