[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

default realm resolution question



Hi. i'm wondering if somebody can provide me a reference to past
discussion on the list. i'm curious: if looking up the default
realm in DNS, and the `hostname` isn't fully qualified so that
the lookup fails, why not try to expand the name?

below is a (not very artful) patch just to show you what i'm
getting at. i'm sure somebody's raised this before but i'm
curious why heimdal doesn't fall back to using a hostname look-
up to expand the local hostname as it seems MIT krb5 does. is it
a philosophical security concern?

thanks for humoring me

--buck

--- lib/krb5/get_host_realm.c.orig	Wed Aug 28 09:36:57 2002
+++ lib/krb5/get_host_realm.c	Fri May 23 14:22:43 2003
@@ -208,6 +208,7 @@
 		    const char *host,
 		    krb5_realm **realms)
 {
+    krb5_error_code ret;
     char hostname[MAXHOSTNAMELEN];
 
     if (host == NULL) {
@@ -216,5 +217,18 @@
 	host = hostname;
     }
 
-    return krb5_get_host_realm_int (context, host, 1, realms);
+    ret = krb5_get_host_realm_int(context, host, 1, realms);
+
+    /* if we couldn't find a realm for our own hostname and it looks
+     * unqualified, try the expansion mechanism */
+    if (ret == KRB5_ERR_HOST_REALM_UNKNOWN && 
+	host == hostname &&
+	strchr(host, '.') == NULL) {
+	    char *thost = NULL;
+	    ret = krb5_expand_hostname_realms(context, host, &thost,
+					      (char ***)realms);
+	    if (ret == 0 && thost != NULL)
+		free(thost);
+    }
+    return ret;
 }
--- lib/krb5/expand_hostname.c.orig	Tue Sep 18 05:35:47 2001
+++ lib/krb5/expand_hostname.c	Fri May 23 14:22:43 2003
@@ -140,7 +140,7 @@
 		return ret;
 	    }
 	    strlwr (*new_hostname);
-	    ret = krb5_get_host_realm (context, *new_hostname, realms);
+	    ret = krb5_get_host_realm_int (context, *new_hostname, 1, realms);
 	    if (ret == 0) {
 		freeaddrinfo (ai);
 		return 0;