[30028] in Kerberos
Re: Question about dns_lookup_realm and domain_realm
daemon@ATHENA.MIT.EDU (Jos Backus)
Thu Jun 26 23:06:41 2008
Date: Thu, 26 Jun 2008 20:04:34 -0700
From: Jos Backus <jos@catnook.com>
To: kerberos@mit.edu
Message-ID: <20080627030434.GA7120@lizzy.catnook.local>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="Bn2rw/3z4jIqBvZU"
Content-Disposition: inline
In-Reply-To: <20080626214129.GB76461@lizzy.catnook.local>
Reply-To: jos@catnook.com
Errors-To: kerberos-bounces@mit.edu
--Bn2rw/3z4jIqBvZU
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
(I know, following up on myself...)
http://web.mit.edu/kerberos/www/krb5-1.6/krb5-1.6.3/doc/krb5-admin.html#Using-DNS says:
"The second mechanism works by looking up the information in special TXT
records in the Domain Name Service. This is currently not used by default
because security holes could result if the DNS TXT records were spoofed. If
this mechanism is enabled on the client, it will try to look up a TXT record
for the DNS name formed by putting the prefix _kerberos in front of the
hostname in question."
(Fwiw, 1.5.4 has similar verbiage.) The dns_lookup_realm libdefaults option
supposedly enables this mechanism on the client. The doc for it says:
"Indicate whether DNS TXT records should be used to determine the Kerberos
realm of a host."
However, this doesn't actually work (at least in krb5 1.6.1, and likely other
MIT versions as well), so either the docs are incorrect or there's a bug.
Clients appear to use krb5_get_host_realm() (perhaps through calling
krb5_sname_to_principal(), as in the case of kprop.c), _not_
krb5_get_fallback_host_realm() which does have code to lookup a _kerberos.FQDN
TXT RR (but doesn't handle domain_realm).
The attached proof-of-concept patch adds a new libdefaults option,
dns_lookup_host_realm, which corrects this. When set (it defaults to false),
the DNS TXT RR lookup is attempted first, and if it succeeds, the TXT RR's
value is used as the realm.
The code is cribbed from krb5_get_fallback_host_realm(), so some refactoring
is clearly needed. Also, I realize there's no documentation. If you think this
is a useful change I'm willing to clean it up some more and add documentation.
Otherwise I'll just keep it as a local patch, as it fixes my particular issue.
Thanks,
--
Jos Backus
jos at catnook.com
--Bn2rw/3z4jIqBvZU
Content-Type: text/x-diff; charset=us-ascii
Content-Disposition: attachment; filename="kerberos-dns_lookup_host_realm.diff"
diff -ru krb5-1.6.1-dist/src/lib/krb5/os/hst_realm.c krb5-1.6.1-new/./src/lib/krb5/os/hst_realm.c
--- krb5-1.6.1-dist/src/lib/krb5/os/hst_realm.c 2007-04-10 17:52:23.000000000 -0400
+++ krb5-1.6.1-new/./src/lib/krb5/os/hst_realm.c 2008-06-26 21:27:29.000000000 -0400
@@ -224,38 +224,64 @@
#endif
realm = (char *)NULL;
temp_realm = 0;
- while (cp) {
+
+#ifdef KRB5_DNS_LOOKUP
+ if (realm == (char *)NULL) {
+ int use_dns = _krb5_use_dns_host_realm(context);
+ if ( use_dns ) {
+ /*
+ * Since this didn't appear in our config file, try looking
+ * it up via DNS. Look for a TXT records of the form:
+ *
+ * _kerberos.<hostname>
+ *
+ */
+ cp = local_host;
+ do {
+ retval = krb5_try_realm_txt_rr("_kerberos", cp, &realm);
+ cp = strchr(cp,'.');
+ if (cp)
+ cp++;
+ } while (retval && cp && cp[0]);
+ }
+ }
+#endif /* KRB5_DNS_LOOKUP */
+
+ if (realm == (char *)NULL) {
+ cp = local_host;
+ while (cp) {
#ifdef DEBUG_REFERRALS
- printf(" trying to look up %s in the domain_realm map\n",cp);
+ printf(" trying to look up %s in the domain_realm map\n",cp);
#endif
- retval = profile_get_string(context->profile, "domain_realm", cp,
- 0, (char *)NULL, &temp_realm);
- if (retval)
- return retval;
- if (temp_realm != (char *)NULL)
- break; /* Match found */
-
- /* Setup for another test */
- if (*cp == '.') {
- cp++;
- } else {
- cp = strchr(cp, '.');
+ retval = profile_get_string(context->profile, "domain_realm", cp,
+ 0, (char *)NULL, &temp_realm);
+ if (retval)
+ return retval;
+ if (temp_realm != (char *)NULL)
+ break; /* Match found */
+
+ /* Setup for another test */
+ if (*cp == '.') {
+ cp++;
+ } else {
+ cp = strchr(cp, '.');
+ }
}
- }
#ifdef DEBUG_REFERRALS
- printf(" done searching the domain_realm map\n");
+ printf(" done searching the domain_realm map\n");
#endif
- if (temp_realm) {
+ if (temp_realm) {
#ifdef DEBUG_REFERRALS
- printf(" temp_realm is %s\n",temp_realm);
+ printf(" temp_realm is %s\n",temp_realm);
#endif
- realm = malloc(strlen(temp_realm) + 1);
- if (!realm) {
- profile_release_string(temp_realm);
- return ENOMEM;
- }
- strcpy(realm, temp_realm);
- profile_release_string(temp_realm);
+ realm = malloc(strlen(temp_realm) + 1);
+ if (!realm) {
+ profile_release_string(temp_realm);
+ return ENOMEM;
+ }
+ strcpy(realm, temp_realm);
+ profile_release_string(temp_realm);
+ }
}
if (realm == (char *)NULL) {
diff -ru krb5-1.6.1-dist/src/lib/krb5/os/locate_kdc.c krb5-1.6.1-new/./src/lib/krb5/os/locate_kdc.c
--- krb5-1.6.1-dist/src/lib/krb5/os/locate_kdc.c 2007-04-10 17:52:23.000000000 -0400
+++ krb5-1.6.1-new/./src/lib/krb5/os/locate_kdc.c 2008-06-26 21:24:43.000000000 -0400
@@ -98,6 +98,12 @@
return maybe_use_dns (context, "dns_lookup_realm", DEFAULT_LOOKUP_REALM);
}
+int
+_krb5_use_dns_host_realm(krb5_context context)
+{
+ return maybe_use_dns (context, "dns_lookup_host_realm", 0);
+}
+
#endif /* KRB5_DNS_LOOKUP */
int
diff -ru krb5-1.6.1-dist/src/lib/krb5/os/os-proto.h krb5-1.6.1-new/./src/lib/krb5/os/os-proto.h
--- krb5-1.6.1-dist/src/lib/krb5/os/os-proto.h 2006-10-13 15:05:05.000000000 -0400
+++ krb5-1.6.1-new/./src/lib/krb5/os/os-proto.h 2008-06-26 21:23:35.000000000 -0400
@@ -59,6 +59,7 @@
void krb5int_debug_fprint (const char *fmt, ...);
int _krb5_use_dns_realm (krb5_context);
+int _krb5_use_dns_host_realm (krb5_context);
int _krb5_use_dns_kdc (krb5_context);
int _krb5_conf_boolean (const char *);
--Bn2rw/3z4jIqBvZU
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
--Bn2rw/3z4jIqBvZU--
