requiring canonical hostnames
Ken Raeburn
raeburn at MIT.EDU
Fri Aug 20 17:55:44 EDT 2004
On Aug 20, 2004, at 17:50, James Matthews wrote:
> Our kerberized Mac FTP client (Fetch) does a reverse name lookup of
> the server's IP address to get a canonical hostname before requesting
> tickets from Kerberos. Some users are in situations where reverse
> name lookup for the server address fails, and currently that prevents
> Fetch from making GSS Kerberos logins. Would there be adverse
> security implications to having Fetch fall back on using the hostname
> entered by the user when reverse name lookup fails? Apple's Mail and
> AFP clients appear to work in this case, which makes me suspect that
> they are using this (or some other) work-around.
They probably are. The MIT Kerberos library also does something like
this internally, currently.
In fact, the security problem comes not from using the user-supplied
name, but from doing these DNS queries with no security; an attacker
could redirect the user to a server of his choice. It's a known
problem with the MIT implementation, and one we hope to fix once the
Kerberos protocol enhancements to better support this situation are
available.
Ken
More information about the krbdev
mailing list