Null realms and servers
Nicolas Williams
Nicolas.Williams at sun.com
Wed Dec 20 11:43:46 EST 2006
On Wed, Dec 20, 2006 at 09:51:14AM -0500, Derek Atkins wrote:
> Ahh, there's the "lookup_kdcs()" step. That makes sense, and
> answers the question. At each step in the FQDN you perform an
> active check to see if there's a realm at that level.
Yes.
There's a minor attack here (if you're using DNS to look up KDCs) in
that NXDOMAIN spoofs could force you up the realm hierarchy, but that
will be a DoS unless the attacker happens to be in possession of the
server credential for the given principal in the resulting realm name --
bloody unlikely.
In a zero-conf world making a fairly straightforward link between DNS
domainnames and Kerberos V realm names helps, but requiring that every
sub-domain have its own realm when it isn't really in a separate
administrative domain doesn't. Both, referrals and this host2realm
algorithm address that problem, but referrals requires KDC-side support,
whereas the latter does not.
Nico
--
More information about the krbdev
mailing list