[568] in Kerberos-V5-bugs
More Concerns Over The Case of The Realm Names
daemon@ATHENA.MIT.EDU (Doug Engert)
Fri Jul 8 12:24:15 1994
Date: Fri, 08 Jul 94 11:23:33 CDT
From: "Doug Engert" <DEEngert@anl.gov>
To: <auth-pilot@es.net>
Cc: <bcn@ISI.EDU>, <krb5-bugs@MIT.EDU>
The more I think about the convention of using upper case realm names
the more it bothers me for five reasons:
Reason 1:
Most of us have defined realm names using lower case for the
cross realm testing using k5.es.net as the base. But it looks
like LLNL is using LLNL.K5.ES.NET as the realm.
The choice of having all the realms end in k5.es.net was made so
the walk_rtree routine would would contact k5.es.net as the
common KDC.
But if some of us use upper case, it will not find K5.ES.NET
since it does not exist. (The shortcuts mode to walk_rtree.c could
take care of this, but this was not its intent.)
Reason 2:
Kerberos 5.3 is said to able to interoperate with OSF/DCE. I
would like to be able to use Kerberized clients with an OSF
security server acting as the KDC. But what is the Cell/Realm
name? Does OSF use uppercase for the cell name? I don't believe
so, I know AFS does not. (Currently I am using the AFS kaserver
as the Kerberos V4 KDC and use K4 clients. The AFS Cell name is
anl.gov and the Kerberos realm is ANL.GOV.) I hope that K5 and
OSF work similarly.
Reason 3:
I only see one places in the K 5.4.1 source where there is some
attempt at using a specific case for the realm name. (I may have
missed some). This is lib/krb5/os/hst_realm.c where it tries to
generate a realm name from a domain name, and converts it to
upper case, and it scans the krb.realms file and does a
strcasecmp against the domain name.
Reason 4:
The string to key routine now uses the realm name in the salt. I
don't see any case conversion here. The AFS string_to_key used
the cell name as well, but it made sure it was uppercase before
using it.
Reason 5:
Users tend to type using lower case, and are use to domain names
being in lower case. Having to use uppercase will be frustrating.
Suggestion:
I would like to see the realm name be considered case sensitive,
but with the convention being to use lower case for domain name
style realm names, and have hst_realm.c convert a domain name to
lower case. ( I know this may be considered a major change, but
in the long run, it will make things eaiser.)
(I would then use lower case for the name. mostly for reason 5.)
Douglas E. Engert
Systems Programming
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(708) 252-5444
Internet: DEEngert@anl.gov
