[krbdev.mit.edu #2250] Uppercase realm bug

Jeffrey Altman jaltman at columbia.edu
Tue Feb 17 12:15:33 EST 2004 

The Upper Case Realm registry setting is set according to the following
rules (documented in the KfW Release Notes):


        upper case realm:

   1. Use value from registry 
      (HKCU\Software\MIT\Leash32\Settings,uppercaserealm) if present.
   2. Otherwise, use value from registry 
      (HKLM\Software\MIT\Leash32\Settings,uppercaserealm) if present.
   3. Otherwise, use resource string if present.
   4. Otherwise, default to 1.

The HKCU value is displayed and can be toggled by the end user via
Leash's *Options->Upper Case Realm Name* menu item. This value is
utilized by the Leash_kinit_dlg() and Leash_kinit_dlg_ex() functions
to determine whether or not the input from the end user should be
uppercased before performing a TGS request.  This value is not used
to modify the configuration of the Edit window to require the input
of Upper Case characters.

The Kerberos Protocol standard strongly advises the use of DNS style
realm names consisting entirely of Upper Case alpha numerics.  The
dialogs you believe are misimplemented are those available from Leash's
*Options->Kerberos Properties ..."* dialog which are used to edit
the contents of the KRB5.INI, KRB.CON, and KRBREALM.CON files.  There
is no requirement that these configuration files be edited using Leash.
However, it is believed that it is in the interest of support organizations
to discourage the use of lower case or Mixed Case realm names.  Their
use can only increase the likelihood that realms will exist whose names
only differ by case.  This opens the doors to interesting social
engineering attacks against users when combined with DNS Lookups of
KDC locations. 

For this reason, I do not intend to change the behavior
of Leash in this regard.  If you wish to use Mixed Case realms you
can do so by editing your configuration files by hand.

Jeffrey Altman


Eli Breder via RT wrote:

>Hi,
>
>I would like to be able to enter mixed-case realm names in Leash.
>However, when I uncheck the "Uppercase Realm" Option menu item, the
>various dialog boxes still force uppercase in all the edit boxes that
>are used to type in realm names. 
>
>I was informed that this menu item should only affect the Get Tickets
>dialog and the Change Password dialog. However, this does not seem to
>work: both dialogs do not force uppercase when the setting is checked.
> 
>Thank you,
>Eli Breder
>
>_______________________________________________
>krb5-bugs mailing list
>krb5-bugs at mit.edu
>https://mailman.mit.edu/mailman/listinfo/krb5-bugs
>

More information about the krb5-bugs mailing list