Ticket History #6031: krb needs better realm lookup logic

Thanks. The heuristic looks good. Is there some specific reason you went with direct resolver
calls, bypassing /etc/hosts and whatever else might be configured?

Recording the conclusions (or my interpretation of them) from an email
discussion of this patch:

1. We do not want to do a "zero-configuration" determination of a
machine's default realm. It would require a reliance on DNS which is
not secure. (However, we should look into providing a realm-join
facility to make configuration of Kerberized hosts easier.)

2. We do want the host->realm heuristic, even though we also plan to
implement referrals for host->realm lookups in the future. However,
when used in combination with dns_lookup_kdc, the heuristic would allow
an attacker to use forged NXDOMAIN responses to cause the host->realm
lookup to choose a higher-level parent than the appropriate one.
Although this is a constrained risk, it is still a risk. Since
dns_lookup_kdc is on by default, the host->realm heuristic should be off
by default.

3. The heuristic should be changed to check the domain as specified
before moving on to its parents.

4. It has been suggested that the configuration variable to enable this
heuristic could specify the number of parents to check. (That is, if
the host is a.b.c.d, a configuration value of 0 would check only
A.B.C.D, a value of 1 or more would also check B.C.D, and a value of 2
or more would also check C.D.)

I note that the patch uses strlcpy(). We do not appear to use this
function in the MIT krb5 code base, I believe because (1) it is not
completely portable, and (2) we do not believe in using truncating
string functions since truncation can itself be a security risk.
Realizing that strcpy() sometimes triggers warnings in static analysis
tools, I currently favor using memcpy() to copy string contents.

I will implement these changes (not sure exactly when); there is no need
to resubmit the patch.

The patch adds some Sun copyright statements to the code comments; being
new to the team, I'm not sure if that poses any issues. I'll discuss it
with the team and report back if it's a problem.

Thanks very much for the code contribution.

Okay, I need one more thing from you: please state that Sun intends the
new code to be covered by the Sun Microsystems license from the
top-level Kerberos README file. That way we can confidently add a note
to README mentioning the files in question, to make it clear what
license is meant by "use is subject to license."

Thanks. The license in question from the README file (which already
applies to a bunch of other code in Kerberos) is:

Copyright (c) 2004 Sun Microsystems, Inc.

Permission is hereby granted, free of charge, to any person obtaining a
copy of this software and associated documentation files (the
"Software"), to deal in the Software without restriction, including
without limitation the rights to use, copy, modify, merge, publish,
distribute, sublicense, and/or sell copies of the Software, and to
permit persons to whom the Software is furnished to do so, subject to
the following conditions:

The above copyright notice and this permission notice shall be included
in all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

On Wed, 2008-10-08 at 16:26 +0000, Greg Hudson via RT wrote:

Sun intends that the new code be covered by the Sun Microsystems'
license from the top-level Kerberos README file (as seen below). The
Copyright needs to be updated to 2008 and the modified source files
should contain the following:

/*
* Copyright 2008 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*/


Thanks,

-M

Add a new fallback host-to-realm heuristic to try the components of the
hostname as domains. The heuristic is off by default and is controlled
by the realm_try_domains variable under libdefaults.

Based on a patch submitted by Mark Phalan from Sun.


https://github.com/krb5/krb5/commit/2fd916940dbe98a2e7c000480979d5a37ef72265
Commit By: ghudson
Revision: 21588
Changed Files:
U trunk/README
U trunk/src/config-files/krb5.conf.M
U trunk/src/lib/krb5/os/hst_realm.c