Initial Auth Realm Fall-back

Nico Williams nico at
Thu Aug 22 18:22:43 EDT 2013

On Thu, Aug 22, 2013 at 3:45 PM, Shawn M Emery <shawn.emery at> wrote:
> For environments that _do_ happen to have user principal name collisions
> between realms this would not have any more impact on n-strikes for any
> random default realm given that any decrypt integrity error code
> returned would short-circuit the realm fall-back.  As mentioned above,
> the only time the fall-back realm would be used is when the unknown
> principal error code is returned.

Any incorrect password usage has N-strikes impact.  Of course, that's
more a reflection on the utter stupidity that is N-strikes: a willful
DoS vulnerability.

Still, it's a real impact.

To recap the discussion we had the other day, IMO:

 - Heimdal and MIT should both implement a single-valued user_realm
paramater for use in qualifying otherwise realm-less unparsed
principal names in krb5_get_init_creds*() callers (possibly also
including gss_acquire_cred_with_password()).

 - Any multi-valued user_realm support should not be documented OR the
documentation should advise users against it.

 - Heimdal and MIT should also support UPNs in krb5_get_init_creds*(),
with canonicalization, of course, and pam-krb5 modules should use this
to update PAM_USER, and should have an option to allow username at domain
forms of canonical usernames.  On systems where there is appropriate
name service and ID mapping functionality this will permit
multi-domain user support, which I'm sure Solaris and Linux users
would all very much like to have.


More information about the krbdev mailing list