Realm lookups again

Nicolas Williams Nicolas.Williams at
Wed Oct 1 18:47:29 EDT 2008

On Wed, Oct 01, 2008 at 06:40:07PM -0400, Greg Hudson wrote:
> Ignore _kerberos.domain TXT RRs for the moment.

OK :)

> There are two parts to the Sun patch:
>   1. Implement the heuristic for host->realm
>   2. Determine default_realm by applying the heuristic to the host's
> interface names and DNS search path.
> Part 1 only uses DNS if dns_lookup_kdc is true (the default), so you're
> correct as far as that goes.
> By my reading, part 2 uses DNS to reverse-resolve the host's interfaces
> addresses if dns_lookup_realm is *false* (also the default).  If you can
> subvert that reverse lookup, you can make the library try to use any
> realm it can successfully look up as the default.


> > The severity of such an attack depends on whether you trust EXAMPLE.COM
> > not to create host-based principals for hosts in  Now,
> > with this heuristic this is a determination of trust that one would have
> > to make for every domain/realm.
> For host->realm conversion, yes.  For default_realm determination, I
> believe there are other attacks--mainly convincing a host not to do
> keytab verification because it can't find a suitable service key in its
> keytab for the (wrong) default realm.

IMO a host should never skip TGT verification for local logins.  (That
should be the default anyways.)  (Unless the TGT is obtained via PKINIT
or FAST w/ PKINIT w/ anon PKINIT client, so that the AS is explicitly
authenticated to the client host.)

> (That particular attack goes away if, as you suggest, we use the realm
> from the host's keytab entries in preference to information from DNS.)



More information about the krbdev mailing list