[39506] in Kerberos
Re: Strange behavior with mixed case host name/principal
daemon@ATHENA.MIT.EDU (Ken Hornstein via Kerberos)
Fri Apr 18 13:56:28 2025
Message-Id: <202504181730.53IHUoYQ015681@hedwig.cmf.nrl.navy.mil>
To: Jafar Aliev <tubecleaner@gmail.com>
cc: kerberos@mit.edu
In-Reply-To: <CALwi_rrX1-LGsjT7zr-bYyhf+GneUZV6S9kVA=-yf_pTh5PsjA@mail.gmail.com>
MIME-Version: 1.0
Date: Fri, 18 Apr 2025 13:30:49 -0400
From: Ken Hornstein via Kerberos <kerberos@mit.edu>
Reply-To: Ken Hornstein <kenh@cmf.nrl.navy.mil>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
>Workarounds with sshd_conf
>GSSAPIStrictAcceptorCheck no
>or krb5.conf
>ignore_acceptor_hostname = true
>work well, but I want to keep a strict hostname check.
Why, exactly? There are a few multi-homed situations where this
can cause security issues but I don't think they apply here.
There aren't wonderful solutions for this situation other than turning
off strict acceptor checking. The DNS is case-PRESERVING, but
case-insensitive in lookup, so "SERVER" and "server" are treated as
being identical when it comes to hostname lookup. RFC 4120 recommends
folding names to lowercase; that happens sometimes based on a particular
Kerberos implementation (in MIT Kerberos that happens when the hostname
is canonicalized in the function krb5_sname_to_principal() which is
called by most higher-level APIs such as the GSSAPI).
--Ken
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
