[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: domain to realm mappings and DNS (probably a bug)

To: Niklas Edmundsson <nikke@acc.umu.se>
Subject: Re: domain to realm mappings and DNS (probably a bug)
From: "Henry B. Hotz" <hotz@jpl.nasa.gov>
Date: Thu, 22 Apr 2004 11:25:19 -0700
Cc: heimdal-discuss@sics.se
In-Reply-To: <Pine.LNX.4.58.0404220837090.13988@tekla.ing.umu.se>
References: <Pine.LNX.4.58.0404211402460.20467@tekla.ing.umu.se> <229F2C75-93B7-11D8-86B9-000A95CA746C@jpl.nasa.gov> <Pine.LNX.4.58.0404220837090.13988@tekla.ing.umu.se>
Sender: owner-heimdal-discuss@sics.se


On Apr 21, 2004, at 11:52 PM, Niklas Edmundsson wrote:

> On Wed, 21 Apr 2004, Henry B. Hotz wrote:
>
>>> I'm a little confused by heimdal's behaviour regarding when to use  
>>> DNS
>>> get the correct realm name.
>>>
>>> If I do kinit/kauth from a machine residing in the domain without
>>> giving the realm, it gets it right (ie. does DNS lookups):
>>> host.acc.umu.se:~ kauth yada
>>> yada@ACC.UMU.SE's Password:
>>>
>>> However, if I give it a realm it ignores the lookup and thus if I
>>
>> I think you are describing correct behavior.  If you tell it what  
>> realm
>> to use you don't want it doing a DNS lookup behind your back (and
>> getting info from a spoofed DNS).
>
> Well, since it gets the info on which servers to contact using DNS,
> why not get the info on what the real realm name is from the DNS???

Because if you are doing a kinit on machine home.dsl.net how is it to  
know that you want a ticket from the WORK.COM realm?

Given the initial ticket you can connect to database.work.com and it  
should guess you want a service ticket in the WORK.COM realm fine, and  
do the appropriate lookups.

>> Except for occasional use it's best to put the info in your local
>> krb5.conf so you don't have to worry about DNS compromises.  Then you
>> can make the defaults work the way you want them to as well.
>
> Actually, why should I worry about DNS compromises that much? If
> someone is able to fake your kerberos server, he/she has the master
> key and then you've got quite a few other problems. It's exactly the
> same as someone listens to the net and spoofs answers from your KDC.

Standard answer:  It depends.

The only case I can think of offhand that isn't just a DOS is if you  
use Kerberos to allow login to a workstation.  The person sending a  
password might be the same person who's spoofing the KDC.  The defense  
in that case is to get a service ticket to check against a host keytab.
------------------------------------------------------------------------ 
----
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu

Follow-Ups:
- Re: domain to realm mappings and DNS (probably a bug)
  - From: Niklas Edmundsson <nikke@acc.umu.se>

References:
- domain to realm mappings and DNS (probably a bug)
  - From: Niklas Edmundsson <nikke@acc.umu.se>
- Re: domain to realm mappings and DNS (probably a bug)
  - From: "Henry B. Hotz" <hotz@jpl.nasa.gov>
- Re: domain to realm mappings and DNS (probably a bug)
  - From: Niklas Edmundsson <nikke@acc.umu.se>

Prev by Date: Keeping an afs kaserver database in sync w/krb5 database
Next by Date: Re: Keeping an afs kaserver database in sync w/krb5 database
Prev by thread: Re: domain to realm mappings and DNS (probably a bug)
Next by thread: Re: domain to realm mappings and DNS (probably a bug)
Index(es):
- Date
- Thread