[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: domain to realm mappings and DNS (probably a bug)

On Wed, 21 Apr 2004, Henry B. Hotz wrote:

> > I'm a little confused by heimdal's behaviour regarding when to use DNS
> > get the correct realm name.
> >
> > If I do kinit/kauth from a machine residing in the domain without
> > giving the realm, it gets it right (ie. does DNS lookups):
> > host.acc.umu.se:~ kauth yada
> > yada@ACC.UMU.SE's Password:
> >
> > However, if I give it a realm it ignores the lookup and thus if I
> I think you are describing correct behavior.  If you tell it what realm
> to use you don't want it doing a DNS lookup behind your back (and
> getting info from a spoofed DNS).

Well, since it gets the info on which servers to contact using DNS,
why not get the info on what the real realm name is from the DNS??? I
mean, if I trust the DNS to get me the server to contact why shouldn't
I trust DNS to get me the realm name? It's not like there's going to
be multiple kerberos realms in different case in the same DNS domain
(OK, people might do that for fun but I really hope not), so why not
just do the obvious and look up the real realm name too?

The real problem here is that DNS is case insensitive and realm names
aren't :/

I can totally understand the behaviour if I have the server(s)
hardcoded in the config file, but that's not what's happening in this

> Note that what you describe is only an issue for kinit.  For service
> tickets the realm is based on the machine to be contacted, not your
> own, so the defaults should work even at home.
> Except for occasional use it's best to put the info in your local
> krb5.conf so you don't have to worry about DNS compromises.  Then you
> can make the defaults work the way you want them to as well.

Actually, why should I worry about DNS compromises that much? If
someone is able to fake your kerberos server, he/she has the master
key and then you've got quite a few other problems. It's exactly the
same as someone listens to the net and spoofs answers from your KDC.

 Niklas Edmundsson, Admin @ {acc,hpc2n,ing}.umu.se    |   nikke@acc.umu.se
 SLEEP: A poor substitute for caffeine.