Realm lookups again

Greg Hudson ghudson at MIT.EDU
Wed Oct 1 18:40:07 EDT 2008

On Wed, 2008-10-01 at 15:28 -0500, Nicolas Williams wrote:
> The heuristic in the ticket does not depend on _kerberos.domain TXT RRs,
> nor does it depend on DNS for the (lookup_kdcs(realm) part if DNS
> lookups for KDCs are not enabled.  I can't see the patch, and I don't
> think this is in OpenSolaris, so I can't speak to what's in the patch.

Ignore _kerberos.domain TXT RRs for the moment.

There are two parts to the Sun patch:

  1. Implement the heuristic for host->realm
  2. Determine default_realm by applying the heuristic to the host's
interface names and DNS search path.

Part 1 only uses DNS if dns_lookup_kdc is true (the default), so you're
correct as far as that goes.

By my reading, part 2 uses DNS to reverse-resolve the host's interfaces
addresses if dns_lookup_realm is *false* (also the default).  If you can
subvert that reverse lookup, you can make the library try to use any
realm it can successfully look up as the default.

> The severity of such an attack depends on whether you trust EXAMPLE.COM
> not to create host-based principals for hosts in  Now,
> with this heuristic this is a determination of trust that one would have
> to make for every domain/realm.

For host->realm conversion, yes.  For default_realm determination, I
believe there are other attacks--mainly convincing a host not to do
keytab verification because it can't find a suitable service key in its
keytab for the (wrong) default realm.

(That particular attack goes away if, as you suggest, we use the realm
from the host's keytab entries in preference to information from DNS.)

More information about the krbdev mailing list