requiring canonical hostnames

Ken Raeburn raeburn at MIT.EDU
Fri Aug 20 17:55:44 EDT 2004

On Aug 20, 2004, at 17:50, James Matthews wrote:
> Our kerberized Mac FTP client (Fetch) does a reverse name lookup of 
> the server's IP address to get a canonical hostname before requesting 
> tickets from Kerberos.  Some users are in situations where reverse 
> name lookup for the server address fails, and currently that prevents 
> Fetch from making GSS Kerberos logins.  Would there be adverse 
> security implications to having Fetch fall back on using the hostname 
> entered by the user when reverse name lookup fails?  Apple's Mail and 
> AFP clients appear to work in this case, which makes me suspect that 
> they are using this (or some other) work-around.

They probably are.  The MIT Kerberos library also does something like 
this internally, currently.

In fact, the security problem comes not from using the user-supplied 
name, but from doing these DNS queries with no security; an attacker 
could redirect the user to a server of his choice.  It's a known 
problem with the MIT implementation, and one we hope to fix once the 
Kerberos protocol enhancements to better support this situation are 


More information about the krbdev mailing list