[349] in Kerberos
Re: converting a hostname into its realm
daemon@TELECOM.MIT.EDU (Jon Rochlis)
Mon Apr 4 17:16:14 1988
From: Jon Rochlis <jon@ATHENA.MIT.EDU>
To: Richard Basch <probe@ATHENA.MIT.EDU>
Cc: jtkohl@ATHENA.MIT.EDU, kerberos@ATHENA.MIT.EDU
In-Reply-To: Richard Basch's message of Mon, 4 Apr 88 14:19:43 EDT,
I have not fully thought this out to the same extent that John has given
his idea, but how would a query to the remote machine sound? For
instance, if you open a connection to the remote machine on some
arbitrary port (ie krb_query tcp/ip), you would get information about
its Kerberos facilities. If this fails, you could then fall back onto a
table.
This is extactly what Jeff proposed quite a while ago. It sounds very
attractive but I have been convinced that you have serious spoofing
problems with this scheme. Bascially you allow somebody to point you
at the wrong kerberos realm. Any realm you exchange ticket-granting
ticket keys with would be able to do you serious harm. Imagine:
Client in Kerberos realm A queries server in Kerberos realm C, what
realm are you in? But nasty in Kerberos realm B replies, "I'm in
realm B". Then client in A goes and gets tickets for the service but
in the wrong realm (B not C). This works however, if A's Kerberos and
B's Kerberos have exchanged a common key for inter-realm
authentication. Realm B can then look just like realm C ...
Basically if you use the simple query mechanism any realm you "trust"
to do inter-realm sytle authentication can spoof any other realm you
might want to deal with.
The simplest way to deal with this is to know the hostname to realm
mapping a priori. A good aproximatation to this is a table in the
*local* filesystem. I think Richard's point about achilles.mit.edu
and odie.mit.edu belonging to different realms and Rob's point made
last week about CMU have ten million sub-domains which probably want
to be mappped into the same kerberos realm, mean you have to have a
do something like this:
1) look up the whole hostname in the table. if you find a realm
use it.
2) otherwise look up the domain and use what you find
While the table approach is nice, it is very attractive to be able to
fall back on an algorithmic approach that will work the first time at
a new site ...
-- Jon
