[2427] in Kerberos-V5-bugs
krb5-libs/170: What I'm doing
daemon@ATHENA.MIT.EDU (Sam Hartman)
Sun Nov 10 02:29:19 1996
Date: Sun, 10 Nov 1996 02:28:56 -0500
From: Sam Hartman <hartmans@MIT.EDU>
To: krb5-bugs@MIT.EDU, krb5-bugs-redist@MIT.EDU, fastcart@MIT.EDU
This summary is presented for people who don't actually want
to to take the time to read through the transactions from krbdev I
appended to the PR. Basically, the problem is that applications like
telnet call gethostbyname twice on hosts like athena.dialup.mit.edu
and with round-robbin name servers, you can lose significantly because
you get different tickets than you actually connect to.
The solution that Ted eventually suggested is as follows:
Instead of changing krb5_sname_to_princ, or creating a new
version of krb5_sname_to_princ, what about simply having a new function,
krb5_os_cannonicalize_hostname(), which takes as input a hostname, and calls
gethostyaddr(gethostbyname()) on the input hostname and returns the
resulting hostname?
Then we simply have to change those programs which might have to
call krb5_os_cannonicalize_hostname() first, and then using the
resulting hostname for krb5_sname_to_princ() as well as using that
hostname to call gethostbyname(), followed by connect().
This solution makes the same assumptions as your proposal (there
must be one PTR record for a given IP address), and it avoids needing to
use addresses in a krb5 interface which (as you point out) is a real
pain to do. We avoid the whole morass of sockaddr_in
vs. krb5_addresses, and the easy or non-ease of generating them by
simply using a char * for the canonicalized hostname.
It does have the disadvantage of an additional DNS resolver
call, but that seems like a minor price to pay.
