Realm lookups again

[Nicolas Williams]

On Thu, Oct 02, 2008 at 09:35:14AM -0400, Ken Raeburn wrote:
> I'm inclined to think that, when you register a machine for a service  
> key, you're no longer in a "zero configuration" case, and the issuing  

Good point.

> realm should probably just then become the default realm, at least for  
> the purposes of accepting and verifying credentials.  It gets trickier  
> when you could conceivably have a machine with services registered in  
> multiple realms, a case we look at fairly rarely, and probably handle  
> poorly already, but let's not make it any worse.

But in that case the sysadmin can be expected to decide.

> I think the domain_realm referrals proposal is probably in its final  
> form, and I expect we'll eventually work on implementing it, if no one  
> else wants to give it a shot sooner.  But for realms where it's not  
> implemented, and there's no applicable domain_realm mapping on the  
> client, the DNS heuristic is probably a good fallback, if we're  
> already risking DNS spoofing because of name canonicalization.

Right.  And the risk with the proposed host2realm heuristic is much more
constrained than the risk with the TXT RR lookup (redirect to
service at PARENT vs redirect to service at REALM-OF-ATTACKER'S-CHOICE) or the
lookups done by krb5_sname_to_principal() (redirect to any
service at ANY-REALM).  Though the fix for the krb5_sname_to_principal()
issue is completely unrelated to the host2realm issue, so we shouldn't
use krb5_sname_to_principal() as an excuse for whatever we choose to do
for host2realm.

Nico
--