Host-realm pluggable interface scope questions

Nico Williams nico at
Mon Jun 17 12:26:03 EDT 2013

On Mon, Jun 17, 2013 at 11:12 AM, Greg Hudson <ghudson at> wrote:
> * Should krb5_get_default_realm() be in scope?  One can think of this as
>   a special case of krb5_get_host_realm(), and some of the same
>   mechanisms have historically applied (such as TXT lookups).

Yes, but only if the plugin has a way to request or indicate secure lookups.

> * Should hostname canonicalization be in scope?  This is performed by
>   krb5_sname_to_principal(), not krb5_get_host_realm(), but
>   sname-to-principal is one of only two consumers of
>   krb5_get_host_realm().


> * Should hostname "cleaning" be in scope?  This is where we convert
>   hostnames to lower-case and strip off any trailing dot.

Absolutely not.

> * Should plugin modules be able to return multiple answers for the host
>   realm?  Our APIs currently allow this (for realm-of-host and
>   fallback-realm-of-host, not for default-realm) but we only ever
>   produce or consume one answer at the moment.


I have two uses for this.  One is for host principal canonicaliztion:
try one realm, then the next, when referrals aren't forthcoming.  The
other is the name constraints checking I was referring to the other
day.  Note that for the first case order matters.


More information about the krbdev mailing list