Initial Auth Realm Fall-back

Shawn M Emery shawn.emery at
Sat Aug 24 00:24:10 EDT 2013

On 08/22/13 04:22 PM, Nico Williams wrote:
> On Thu, Aug 22, 2013 at 3:45 PM, Shawn M Emery<shawn.emery at>  wrote:
>> For environments that _do_ happen to have user principal name collisions
>> between realms this would not have any more impact on n-strikes for any
>> random default realm given that any decrypt integrity error code
>> returned would short-circuit the realm fall-back.  As mentioned above,
>> the only time the fall-back realm would be used is when the unknown
>> principal error code is returned.
> Any incorrect password usage has N-strikes impact.  Of course, that's
> more a reflection on the utter stupidity that is N-strikes: a willful
> DoS vulnerability.

Agreed, but I'll just leave it at that.

> Still, it's a real impact.
> To recap the discussion we had the other day, IMO:
>   - Heimdal and MIT should both implement a single-valued user_realm
> paramater for use in qualifying otherwise realm-less unparsed
> principal names in krb5_get_init_creds*() callers (possibly also
> including gss_acquire_cred_with_password()).

Do you have a project page or patches to reference?  I didn't catch how 
far along this design was.

>   - Any multi-valued user_realm support should not be documented OR the
> documentation should advise users against it.

Yes and pam_krb5 should also provide disclaimers.

>   - Heimdal and MIT should also support UPNs in krb5_get_init_creds*(),
> with canonicalization, of course, and pam-krb5 modules should use this
> to update PAM_USER, and should have an option to allow username at domain
> forms of canonical usernames.  On systems where there is appropriate
> name service and ID mapping functionality this will permit
> multi-domain user support, which I'm sure Solaris and Linux users
> would all very much like to have.

Yes, this would be the ideal solution.  Some of the customers wanting 
this feature are using SSH.  Do you know if any of the common 
applications, such as SSH, would need to change to support UPNs 
(w/suffixes, etc.)?


More information about the krbdev mailing list