Realm lookups again
ghudson@MIT.EDU
ghudson at MIT.EDU
Wed Oct 1 15:44:04 EDT 2008
I've been asked to look at
https://krbdev.mit.edu/rt/Ticket/Display.html?id=6031 which is the
patch from Mark Phalan at Sun to implement new algorithms for
determining the default domain and the domain of a realm. I've
reviewed some mailing list conversations from April and July
pertaining to the issue.
I have two questions for the list related to the patch:
1. Right now we have some DNS support for determining default realms
and host realms (using _kerberos.domain TXT records, not heuristics),
but it's off by default. The Sun patch does its DNS heuristics by
default (in fact, precisely when dns_lookup_realm is false). Sam
suggested that there are security issues if an attacker is able to
forge the default realm, such as possibly convincing ksu not to
perform a keytab lookup.
Is there any way to resolve the desire for zero-configuration with the
security concern about using DNS for default realm determination?
2. To use our shiny new DNS host->realm heuristic for the local
default realm, we need a list of domain names to apply the heuristic
to. The patch iterates over two lists of domain names:
* The result of res_gethostbyaddr on each interface IP address
* Each entry in the DNS search path
I have concerns about the portability of this code as supplied, and
more generally about our ability to portably determine the DNS search
path.
Would it be sufficient to canonicalize the result of gethostname() and
apply the heuristic to that?
(A brief introduction for those wondering who I am: I've been hired
into the Kerberos consortium starting this week. I have some
familiarity with the krb5 source base going back a decade or so but
I'm not an expert. My work will likely focus on improving the
Kerberos development process in several ways.)
More information about the krbdev
mailing list