[krbdev.mit.edu #6031] krb needs better realm lookup logic

Greg Hudson via RT rt-comment at krbdev.mit.edu
Mon Oct 6 17:17:15 EDT 2008 

Recording the conclusions (or my interpretation of them) from an email
discussion of this patch:

1. We do not want to do a "zero-configuration" determination of a
machine's default realm.  It would require a reliance on DNS which is
not secure.  (However, we should look into providing a realm-join
facility to make configuration of Kerberized hosts easier.)

2. We do want the host->realm heuristic, even though we also plan to
implement referrals for host->realm lookups in the future.  However,
when used in combination with dns_lookup_kdc, the heuristic would allow
an attacker to use forged NXDOMAIN responses to cause the host->realm
lookup to choose a higher-level parent than the appropriate one. 
Although this is a constrained risk, it is still a risk.  Since
dns_lookup_kdc is on by default, the host->realm heuristic should be off
by default.

3. The heuristic should be changed to check the domain as specified
before moving on to its parents.

4. It has been suggested that the configuration variable to enable this
heuristic could specify the number of parents to check.  (That is, if
the host is a.b.c.d, a configuration value of 0 would check only
A.B.C.D, a value of 1 or more would also check B.C.D, and a value of 2
or more would also check C.D.)

I note that the patch uses strlcpy().  We do not appear to use this
function in the MIT krb5 code base, I believe because (1) it is not
completely portable, and (2) we do not believe in using truncating
string functions since truncation can itself be a security risk. 
Realizing that strcpy() sometimes triggers warnings in static analysis
tools, I currently favor using memcpy() to copy string contents.

I will implement these changes (not sure exactly when); there is no need
to resubmit the patch.

The patch adds some Sun copyright statements to the code comments; being
new to the team, I'm not sure if that poses any issues.  I'll discuss it
with the team and report back if it's a problem.

Thanks very much for the code contribution.

More information about the krb5-bugs mailing list