Skip Menu |
 

Subject: krb needs better realm lookup logic
CC: Mark.Phalan@Sun.Com
This patch implements a heuristic to determine the realm name from the
dns domain name of a host.

The algorithm is:

domain = fqdn;
while (domain.label_count > 2) {
domain = pop_label(domain);
realm = domain2realm(domain); /* for ASCII: toupper() */
if (lookup_kdcs(realm) > 0)
break;
realm = NULL;
}

return (realm);

The patch as attached makes libresolv specific calls (as thats what
OpenSolaris uses).
Download krb5-1.6.3_dns-heuristic.patch
application/octet-stream 10.7KiB

Message body not shown because it is not plain text.

Thanks. The heuristic looks good. Is there some specific reason you went with direct resolver
calls, bypassing /etc/hosts and whatever else might be configured?
[raeburn - Tue Jul 15 14:27:02 2008]:

Show quoted text
> Thanks. The heuristic looks good. Is there some specific reason you
> went with direct resolver
> calls, bypassing /etc/hosts and whatever else might be configured?

The direct resolver calls will still use /etc/hosts (at least on Solaris).
On Solaris we only support Kerberos if DNS is used. I believe there may
have been issues with host resolution to get fully qualified domain
names when using NIS or NIS+ as a name service backend. I don't know if
the original reasons for only supporting DNS are still valid.
Download (untitled) / with headers
text/plain 1.9KiB
Recording the conclusions (or my interpretation of them) from an email
discussion of this patch:

1. We do not want to do a "zero-configuration" determination of a
machine's default realm. It would require a reliance on DNS which is
not secure. (However, we should look into providing a realm-join
facility to make configuration of Kerberized hosts easier.)

2. We do want the host->realm heuristic, even though we also plan to
implement referrals for host->realm lookups in the future. However,
when used in combination with dns_lookup_kdc, the heuristic would allow
an attacker to use forged NXDOMAIN responses to cause the host->realm
lookup to choose a higher-level parent than the appropriate one.
Although this is a constrained risk, it is still a risk. Since
dns_lookup_kdc is on by default, the host->realm heuristic should be off
by default.

3. The heuristic should be changed to check the domain as specified
before moving on to its parents.

4. It has been suggested that the configuration variable to enable this
heuristic could specify the number of parents to check. (That is, if
the host is a.b.c.d, a configuration value of 0 would check only
A.B.C.D, a value of 1 or more would also check B.C.D, and a value of 2
or more would also check C.D.)

I note that the patch uses strlcpy(). We do not appear to use this
function in the MIT krb5 code base, I believe because (1) it is not
completely portable, and (2) we do not believe in using truncating
string functions since truncation can itself be a security risk.
Realizing that strcpy() sometimes triggers warnings in static analysis
tools, I currently favor using memcpy() to copy string contents.

I will implement these changes (not sure exactly when); there is no need
to resubmit the patch.

The patch adds some Sun copyright statements to the code comments; being
new to the team, I'm not sure if that poses any issues. I'll discuss it
with the team and report back if it's a problem.

Thanks very much for the code contribution.
Download (untitled) / with headers
text/plain 1.4KiB
Okay, I need one more thing from you: please state that Sun intends the
new code to be covered by the Sun Microsystems license from the
top-level Kerberos README file. That way we can confidently add a note
to README mentioning the files in question, to make it clear what
license is meant by "use is subject to license."

Thanks. The license in question from the README file (which already
applies to a bunch of other code in Kerberos) is:

Copyright (c) 2004 Sun Microsystems, Inc.

Permission is hereby granted, free of charge, to any person obtaining a
copy of this software and associated documentation files (the
"Software"), to deal in the Software without restriction, including
without limitation the rights to use, copy, modify, merge, publish,
distribute, sublicense, and/or sell copies of the Software, and to
permit persons to whom the Software is furnished to do so, subject to
the following conditions:

The above copyright notice and this permission notice shall be included
in all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
Date: Thu, 09 Oct 2008 15:35:35 +0200
From: Mark Phalan <Mark.Phalan@Sun.COM>
Subject: Re: [krbdev.mit.edu #6031] krb needs better realm lookup logic
To: rt-comment@krbdev.mit.edu
CC: Anup Sekhar <Anup.Sekhar@Sun.COM>
RT-Send-Cc:
Download (untitled) / with headers
text/plain 1.6KiB
On Wed, 2008-10-08 at 16:26 +0000, Greg Hudson via RT wrote:
Show quoted text
> Okay, I need one more thing from you: please state that Sun intends the
> new code to be covered by the Sun Microsystems license from the
> top-level Kerberos README file. That way we can confidently add a note
> to README mentioning the files in question, to make it clear what
> license is meant by "use is subject to license."

I'll have to run this by the lawyers. Hopefully it won't take too long.

-M

Show quoted text
>
> Thanks. The license in question from the README file (which already
> applies to a bunch of other code in Kerberos) is:
>
> Copyright (c) 2004 Sun Microsystems, Inc.
>
> Permission is hereby granted, free of charge, to any person obtaining a
> copy of this software and associated documentation files (the
> "Software"), to deal in the Software without restriction, including
> without limitation the rights to use, copy, modify, merge, publish,
> distribute, sublicense, and/or sell copies of the Software, and to
> permit persons to whom the Software is furnished to do so, subject to
> the following conditions:
>
> The above copyright notice and this permission notice shall be included
> in all copies or substantial portions of the Software.
>
> THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
> OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
> MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
> IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
> CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
> TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
> SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
Date: Tue, 02 Dec 2008 14:11:50 +0100
From: Mark Phalan <Mark.Phalan@Sun.COM>
Subject: Re: [krbdev.mit.edu #6031] krb needs better realm lookup logic
To: rt-comment@krbdev.mit.edu
RT-Send-Cc:
Download (untitled) / with headers
text/plain 1.9KiB

On Wed, 2008-10-08 at 16:26 +0000, Greg Hudson via RT wrote:
Show quoted text
> Okay, I need one more thing from you: please state that Sun intends the
> new code to be covered by the Sun Microsystems license from the
> top-level Kerberos README file. That way we can confidently add a note
> to README mentioning the files in question, to make it clear what
> license is meant by "use is subject to license."

Sun intends that the new code be covered by the Sun Microsystems'
license from the top-level Kerberos README file (as seen below). The
Copyright needs to be updated to 2008 and the modified source files
should contain the following:

/*
* Copyright 2008 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*/


Thanks,

-M

Show quoted text
>
> Thanks. The license in question from the README file (which already
> applies to a bunch of other code in Kerberos) is:
>
> Copyright (c) 2004 Sun Microsystems, Inc.
>
> Permission is hereby granted, free of charge, to any person obtaining a
> copy of this software and associated documentation files (the
> "Software"), to deal in the Software without restriction, including
> without limitation the rights to use, copy, modify, merge, publish,
> distribute, sublicense, and/or sell copies of the Software, and to
> permit persons to whom the Software is furnished to do so, subject to
> the following conditions:
>
> The above copyright notice and this permission notice shall be included
> in all copies or substantial portions of the Software.
>
> THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
> OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
> MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
> IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
> CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
> TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
> SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
From: ghudson@mit.edu
Subject: SVN Commit

Add a new fallback host-to-realm heuristic to try the components of the
hostname as domains. The heuristic is off by default and is controlled
by the realm_try_domains variable under libdefaults.

Based on a patch submitted by Mark Phalan from Sun.


https://github.com/krb5/krb5/commit/2fd916940dbe98a2e7c000480979d5a37ef72265
Commit By: ghudson
Revision: 21588
Changed Files:
U trunk/README
U trunk/src/config-files/krb5.conf.M
U trunk/src/lib/krb5/os/hst_realm.c