krb5_sname_to_principal or LDAP/SASL/GSSAPI and reverse DNS

John Hascall john at
Tue Apr 8 17:49:50 EDT 2003

> > I would be interested in hearing more about #3 (how does
> > hostname canonicalization == no security?)

> DNS spoofing.  I spoof the PTR lookup to a machine that I own.
> I now act as a Man-in-the-middle.

    Ok, client wants to connect to
    which is really foo-1 through foo-99 ( - 99) so
    it does an A lookup on and gets back,
    say which it then does a pointer lookup on
    and instead of getting back ( some
    DNS trickery occurs and it gets back
    and it acquires tickets for say host/
    and then connects to and it attempts to use
    the host/ ticket to authenticate.

    This is obviously going to fail, so the attacker must
    have to do something more than just fudging the PTR
    lookup.  One possibility is fudging the A lookup too.

    Ok, so now the client is talking to drevil when it
    thinks it is talking to one of the foo-cluster (which
    is bad enough), but how does drevil authenticate to
    foo-17 (as the user on the client) to complete the


More information about the krbdev mailing list