Skip Menu |
 

To: "krb5-bugs@mit.edu" <krb5-bugs@mit.edu>
Date: Fri, 23 Aug 2024 17:38:37 +0000
Subject: kg_acceptor_princ behavior
From: "Hascall, John P [ITS]" <john@mail.iastate.edu>
In kg_acceptor_princ() [ found in lib/gssapi/krb5/naming_exts.c ]
exists the following:

    if (name->host != NULL && name->princ->length == 2) {
        /* If a host was given, we have to use the canonicalized form of it (as
         * given by krb5_sname_to_principal) for backward compatibility. */
        const krb5_data *d = &name->princ->data[1];
        tmp = k5memdup0(d->data, d->length, &code);
        if (tmp == NULL)
            return ENOMEM;
        host = tmp;
    } else ...

This is seriously annoying (esp as krb5_sname_to_principal() gives you the OPTION to canonicalize or not).
What exactly is it we are being backwards compatible with?

Grumpily yours,
John


John Hascall
Sr Security Architect
IT Services
Iowa State University
john@iastate.edu
This does not read like a bug report.  Requests for clarification about parts of the MIT krb5 code should be sent to krbdev@mit.edu, not to krb5-bugs@mit.edu, and should ideally come with more details and less venting.

For more information about that comment, see https://k5wiki.kerberos.org/wiki/Projects/Acceptor_Names  and https://github.com/krb5/krb5/commit/66587fcd6380eac2c53674df4f64a827d337aee5.  Since then we have also implemented support for dns_canonicalize_hostname=fallback; if that is set, the acceptor will match the originally provided hostname or the canonicalized hostname.

If the preferred behavior is not to restrict the hostname part of the acceptor principal except to what is in the keytab, either the acceptor code should import a service name with no hostname part (like "HTTP" instead of "HTTP@myhostname"), or krb5.conf should contain ignore_acceptor_hostname=true.