Realm lookups again

Ken Raeburn raeburn at MIT.EDU
Thu Oct 2 09:35:14 EDT 2008 

On Oct 2, 2008, at 05:54, Mark Phalan wrote:
> On Thu, 2008-10-02 at 02:35 -0400, Greg Hudson wrote:
>> Here is my current thinking on the patch, based on the discussion  
>> so far:
>>
>> 1. The default_realm part of the patch is of limited value.  It's  
>> not a
>> safe default, which means it can't (without compromising security)
>> accomplish the goal of making Kerberos work with zero configuration.
>> Once there is any kind of configuration requirement, people are  
>> better
>> off configuring the default realm.
>
> The security problem is that it does a lookup for each interface IP
> address.
> (As already mentioned by Nico) this could be replaced by looking in  
> the
> keytab for host's keytab entries and using the realm found there.
> Alternatively the local /etc/hosts database could be used to look for
> the interface addresses - actually I understood that libresolv will  
> look
> into /etc/hosts before going to DNS (Nico?).

It sounds to me like there's still a risk if there's any address not  
listed.  Like, say, an autoconfigured IPv6 address derived from a  
bogus router advertisement.

I'm inclined to think that, when you register a machine for a service  
key, you're no longer in a "zero configuration" case, and the issuing  
realm should probably just then become the default realm, at least for  
the purposes of accepting and verifying credentials.  It gets trickier  
when you could conceivably have a machine with services registered in  
multiple realms, a case we look at fairly rarely, and probably handle  
poorly already, but let's not make it any worse.

>> 2. The host->realm part of the patch would let people throw away  
>> most of
>> their domain_realm table.  So does
>> http://k5wiki.kerberos.org/wiki/Projects/domain_realm_referrals ; I
>> would be interested to know what the status of that project is, and
>> whether people think it would supplant the need for a DNS heuristic  
>> or
>> complement it.  Or if people think the DNS heuristic is a better idea
>> than domain realm referrals.
>
> I think that both are desireable. The DNS heuristic doesn't require  
> any
> server-side support so will work in more situations. Referrals have
> advantages but do require KDC support.

I think the domain_realm referrals proposal is probably in its final  
form, and I expect we'll eventually work on implementing it, if no one  
else wants to give it a shot sooner.  But for realms where it's not  
implemented, and there's no applicable domain_realm mapping on the  
client, the DNS heuristic is probably a good fallback, if we're  
already risking DNS spoofing because of name canonicalization.

Ken

More information about the krbdev mailing list