[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: domain to realm mappings and DNS (probably a bug)

On Apr 21, 2004, at 11:52 PM, Niklas Edmundsson wrote:

> On Wed, 21 Apr 2004, Henry B. Hotz wrote:
>>> I'm a little confused by heimdal's behaviour regarding when to use  
>>> DNS
>>> get the correct realm name.
>>> If I do kinit/kauth from a machine residing in the domain without
>>> giving the realm, it gets it right (ie. does DNS lookups):
>>> host.acc.umu.se:~ kauth yada
>>> yada@ACC.UMU.SE's Password:
>>> However, if I give it a realm it ignores the lookup and thus if I
>> I think you are describing correct behavior.  If you tell it what  
>> realm
>> to use you don't want it doing a DNS lookup behind your back (and
>> getting info from a spoofed DNS).
> Well, since it gets the info on which servers to contact using DNS,
> why not get the info on what the real realm name is from the DNS???

Because if you are doing a kinit on machine home.dsl.net how is it to  
know that you want a ticket from the WORK.COM realm?

Given the initial ticket you can connect to database.work.com and it  
should guess you want a service ticket in the WORK.COM realm fine, and  
do the appropriate lookups.

>> Except for occasional use it's best to put the info in your local
>> krb5.conf so you don't have to worry about DNS compromises.  Then you
>> can make the defaults work the way you want them to as well.
> Actually, why should I worry about DNS compromises that much? If
> someone is able to fake your kerberos server, he/she has the master
> key and then you've got quite a few other problems. It's exactly the
> same as someone listens to the net and spoofs answers from your KDC.

Standard answer:  It depends.

The only case I can think of offhand that isn't just a DOS is if you  
use Kerberos to allow login to a workstation.  The person sending a  
password might be the same person who's spoofing the KDC.  The defense  
in that case is to get a service ticket to check against a host keytab.
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu