[3957] in Kerberos
Re: hierarchical realms
daemon@ATHENA.MIT.EDU (Shawn Mamros)
Thu Sep 29 15:45:16 1994
To: kerberos@MIT.EDU
Date: Thu, 22 Sep 1994 14:39:58
From: mamros@ftp.com (Shawn Mamros)
Reply-To: mamros@ftp.com
John Gardiner Myers <jgm+@CMU.EDU> writes:
>warlord@MIT.EDU (Derek Atkins) writes:
>> But this is three entries, when we really only needed two, since
>> lcs.mit.edu defaults to LCS.MIT.EDU without a krb.realms entry.
>
>So you need at least one krb.realms entry for each Kerberos realm.
>Big deal, you need at least one krb.conf entry for each Kerberos
>realm. This is a lot easier to track than one entry per non-leaf DNS
>names.
But it can cause other problems, potentially security-threatening...
Going back to Derek's example, with a krb.realms like the following:
mit.edu ATHENA.MIT.EDU
media.mit.edu MEDIA-LAB.MIT.EDU
lcs.mit.edu LCS.MIT.EDU
The way things work currently, if the .lcs.mit.edu line is missing,
it will default to the correct realm anyway, as Derek pointed out.
If the .media.mit.edu line is missing, it will default to MEDIA.MIT.EDU,
which will be wrong, but which also probably won't exist in krb.conf
as a valid realm (unless somebody other than .media.mit.edu has set up
a MEDIA.MIT.EDU realm - highly unlikely). In the event of no direct
match, the default would at least be a "local" name, possibly not valid.
However, if krb_realmofhost() or krb5_get_host_realm() were to be changed
to implement a "best-first" match, as John suggests, then a missing line
for either lcs or media will result in defaulting to the ATHENA.MIT.EDU
realm. Contacting the "wrong" realm *could* have some potentially
interesting security ramifications, particularly if the KDCs for the
"wrong" realm were to be set up to take advantage of the situation.
It could be especially interesting in the event of a V5-style multi-realm
traversal to get to the desired foreign realm.
This is not altogether dissimilar to the DNS resolver issue discussed
in RFC 1535, where an EDU.COM domain can cause problems for .COM sites
when looking up .EDU names.
I'd give some *serious* thought as to the ramifications of what such
a scheme would or could do, if it were up to me to decide.
-Shawn Mamros
E-mail to: mamros@ftp.com
