Implementing IETF Draft on DNS use in Kerberos
william.fiveash at sun.com
Thu Jul 18 14:38:00 EDT 2002
On Thu, Jul 18, 2002 at 02:18:18PM -0400, Jeffrey Altman wrote:
> > This issue has me confused. The IETF wg and others feel that Kerberos
> > referrals should be used for realm lookups since DNS TXT realm lookups
> > are insecure but in the case of a client without a krb5.conf file
> > there doesn't seem to be a way (other than a DNS TXT realm lookup) for
> > the client to know it's realm and thus which KDC to contact in order
> > to do referrals.
> > Would it be reasonably safe to restrict the client to looking up it's
> > local realm via DNS TXT since it would be contacting the local KDC and
> > the shared secret key would provide spoofing protection (cross-realm
> > lookups would be handled by referral once the local KDC is known)?
> It would be safe provided that upon receiving the local Realm info and
> using it to retrieve a TGT, that the TGT be used to retrieve a service
> ticket to verify against the local machine. Of course, this can't be
> done unless the local machine was configured to be part of the local
> realm; AND as such had a service key installed on it.
I thought that the receipt of a valid TGT was proof for the client
that it was dealing with a trusted KDC and thus the local realm lookup
was valid. If this is true, then it doesn't seem necessary to get a
service ticket in order to validate the local realm lookup. (I should
point out that by client I mean client principal with an entry in the
KDC's princ db.)
Sun Microsystems Inc.
Austin, TX, USA (TZ=CST6CDT)
More information about the krbdev