host-based princname canon (Re: Null realms and servers)

Nicolas Williams Nicolas.Williams at
Wed Dec 20 13:04:11 EST 2006

> This does depend on having FQDNs, which means we still have to solve the
> secure hostname canonicalization problem.  (More on that in a separate
> thread, some other time.)

Another related problem is hostname canonicalization.

Users are accustomed to entering short-form names (i.e., not FQDNs) and
relying on DNS resolver search lists to resolve the short names in a
most-specific to least-specific manner.

I believe search lists are actually quite useful, both for users and

But using DNS for hostname canonicalization in krb5 is dangerous: it
opens the client to DNS attacks that the krb5 client library can't
detect nor protect against.

Even if we fail to agree on the goodness of search lists there is the
fact that users rely on them, so that if we can find a way to preserve
search lists while adding security to the hostname canonicalization
step, then we should at least consider it.

An algorithm for hostname canonicalization in krb5_get_credentials()
with search lists but w/o DNS:

    for (domain in searchlist) {
	if (get_svc_ticket(fqdn = short_form_hostname || '.' || domain))
	    return (fqdn);

    return (short_form_hostname || '.' || searchlist[0]);

Note that the RFC4120 KRB-ERROR PDU is not integrity protected, so an
attacker can force the client down the search list; I believe this is

Just as the MIT krb5 1.6 change to krb5_sname_to_principal() requires a
correspondign change to krb5_kt_get_entry(), so could the above
algorithm be implemented in krb5_kt_get_entry():

    for (domain in searchlist) {
	if (get_kt_entry(fqdn = short_form_hostname || '.' || domain))
	    return (fqdn);

    return (short_form_hostname || '.' || searchlist[0]);

Unlike host2realm resolution, short-form hostname canonicalization can't
be implemented with referrals unless we find a way to pass the client's
search list to the KDC.  KDC referrals can still be used to deal with
host aliases (or hosts with aliases can be given credentials for all the
aliases' FQDNs).


More information about the krbdev mailing list