[569] in Kerberos-V5-bugs
Re: More Concerns Over The Case of The Realm Names
daemon@ATHENA.MIT.EDU (Theodore Ts'o)
Fri Jul 8 13:02:55 1994
Date: Fri, 8 Jul 94 13:02:40 EDT
From: tytso@MIT.EDU (Theodore Ts'o)
To: "Doug Engert" <DEEngert@anl.gov>
Cc: <auth-pilot@es.net>, <bcn@ISI.EDU>, <krb5-bugs@MIT.EDU>
In-Reply-To: Doug Engert's message of Fri, 08 Jul 94 11:23:33 CDT,
<9407081624.AA00882@MIT.EDU>
Date: Fri, 08 Jul 94 11:23:33 CDT
From: "Doug Engert" <DEEngert@anl.gov>
The more I think about the convention of using upper case realm names
the more it bothers me for five reasons:
Reason 1:
Most of us have defined realm names using lower case for the
cross realm testing using k5.es.net as the base. But it looks
like LLNL is using LLNL.K5.ES.NET as the realm.
I'm sorry you happened to choose a convention which conflicts with the
current installed base. But you seem to be asking us to make a change
in convention that would break all of the currently existing Kerberos
realms. Remember, the V5 KDC supports both V4 and V5 requests for
compatibility's sake, so MIT's realm, and any realm which started and V4
and is migrating to V5, will NOT be able to change their realm name.
Reason 2:
Kerberos 5.3 is said to able to interoperate with OSF/DCE. I
would like to be able to use Kerberized clients with an OSF
security server acting as the KDC. But what is the Cell/Realm
name? Does OSF use uppercase for the cell name? I don't believe
so, I know AFS does not. (Currently I am using the AFS kaserver
as the Kerberos V4 KDC and use K4 clients. The AFS Cell name is
anl.gov and the Kerberos realm is ANL.GOV.) I hope that K5 and
OSF work similarly.
OSF/DCE is currently using all lower-case Cell names as its convention, and
the realm name is the same as the cell name. It is unfortunate that OSF
choose to use a convention which is different from the established V4
convention; perhaps they don't care as much about backwards
compatibility.
However, DCE will allow the use of upper-case cells; just as Kerberos
will allow the use of lower-case realm names. They are just contrary to
the established convention of each system. I wish DCE could have kept
to the already established convention, but I wasn't consulted when they
made that particular design change.
Reason 3:
I only see one places in the K 5.4.1 source where there is some
attempt at using a specific case for the realm name. (I may have
missed some). This is lib/krb5/os/hst_realm.c where it tries to
generate a realm name from a domain name, and converts it to
upper case, and it scans the krb.realms file and does a
strcasecmp against the domain name.
This is not quite right. It prepares a default realm name from the
domain name, which follows the current conventions (i.e. upper case
domain name). It is doing a case insensitive compare against the domain
name because domain names are case insensitive. These are two separate
operations, and you seemed to be confusing them as one operation.
Reason 4:
The string to key routine now uses the realm name in the salt. I
don't see any case conversion here.
There is no case conversion, because realm names are case insensitive.
This is not a reason to make a change to the convention.
Reason 5:
Users tend to type using lower case, and are use to domain names
being in lower case. Having to use uppercase will be frustrating.
Users will rarely, if ever, need to type Kerberos realm names. In the
few places where they do, the code could be set up to uppercase the
realms if this was really a problem --- although I don't think it is.
Suggestion:
I would like to see the realm name be considered case sensitive,
but with the convention being to use lower case for domain name
style realm names, and have hst_realm.c convert a domain name to
lower case. ( I know this may be considered a major change, but
in the long run, it will make things eaiser.)
Sorry, but the convention has been too-long established that the
Kerberos realm name is all upper case. This was done originally to
make the distinction that Kerberos realm names are *NOT* the same
concept as domain names. They are often the same because of the
convention, but they do not have to be the same, and in the interests of
architectural purity, it is important that they be kept separate.
Otherwise, you run into other problems....
The Kerberos realm name is case insensitive, and if you want to confuse
people you can even use a mixed case realm name. However, I don't see
any point in making the change now, especially since already deployed
sites can not possibly be expected to change to a new convention,
especially when there aren't any really good reasons for making the
change.
If you want to use all lower-case, you are free to; it will break
assumption made in hst_realm.c, which tries to guess the realm name
from the domain name; but because of already deployed sites, some of
them with substantial numbers of users, I am not prepared to change the
behavior of that routine. The net result of that is that you will have
to have your realms listed in /etc/krb.realms; Kerberos V5 will not be
able to guess the realm name for you.
- Ted
