[39507] in Kerberos
Re: Strange behavior with mixed case host name/principal
daemon@ATHENA.MIT.EDU (Jafar Aliev)
Fri Apr 18 14:27:00 2025
MIME-Version: 1.0
In-Reply-To: <202504181730.53IHUoYQ015681@hedwig.cmf.nrl.navy.mil>
From: Jafar Aliev <tubecleaner@gmail.com>
Date: Fri, 18 Apr 2025 21:25:37 +0300
Message-ID: <CALwi_rrjcwfdY8C-cy0DYjZdqGm8i4QWHeq3_2wes7tb3Tn0jw@mail.gmail.com>
To: Ken Hornstein <kenh@cmf.nrl.navy.mil>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
Ken, thank you for the fast response.
Your answer almost fulfills my request. I'll incorporate extra checks
in our playbooks to strict hostname cases.
One small splinter will remain: why kerberos lib indicates error with
exact host principal name that it has in keytab.
p.s. My old RHEL 7.9 setup also doesn't have this problem: it
lowercase hostname before requests for tickets.
On Fri, Apr 18, 2025 at 8:30 PM Ken Hornstein <kenh@cmf.nrl.navy.mil> wrote:
>
> >Workarounds with sshd_conf
> >GSSAPIStrictAcceptorCheck no
> >or krb5.conf
> >ignore_acceptor_hostname = true
> >work well, but I want to keep a strict hostname check.
>
> Why, exactly? There are a few multi-homed situations where this
> can cause security issues but I don't think they apply here.
>
> There aren't wonderful solutions for this situation other than turning
> off strict acceptor checking. The DNS is case-PRESERVING, but
> case-insensitive in lookup, so "SERVER" and "server" are treated as
> being identical when it comes to hostname lookup. RFC 4120 recommends
> folding names to lowercase; that happens sometimes based on a particular
> Kerberos implementation (in MIT Kerberos that happens when the hostname
> is canonicalized in the function krb5_sname_to_principal() which is
> called by most higher-level APIs such as the GSSAPI).
>
> --Ken
--
Наилучшие пожелания,
Джафар Алиев
http://jafar.ru
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
