In the admin guide at http://web.mit.edu/Kerberos/krb5-1.6/krb5-1.6.3/doc/krb5-admin.html#Mapping-Hostnames-onto-Kerberos-Realms it says:
"The second mechanism [for mapping hostnames onto Kerberos realms] works by looking up the information in special TXT records in the Domain Name Service. This is currently not used by default because security holes could result if the DNS TXT records were spoofed" Can you point me to further information on what these security issues are, and how big a risk they might pose, so as to be able to make an informed judgement as to whether to turn this on? Let's say I have a user on workstation pc.foo.example.com, who wants to ssh to server.bar.example.com. Both are in realm EXAMPLE.COM, and I declare this in the DNS using example.com. IN TXT "EXAMPLE.COM" Both machines have dns_lookup_realm = true and default_realm = EXAMPLE.COM in krb5.conf (1) What DNS lookups are made by the workstation and/or the server when a connection takes place? (2) Could any of the DNS responses take precedence over the default_realm specified in the config file for either the client or the server? (*) (3) What's the worst that could happen if someone managed to insert a spoofed TXT record in one of the responses? (4) Kerberos also relies on reverse DNS to map IP address to hostname (and hence to realm, either by domain_realm rules or by another DNS lookup). Are the security issues with dns_lookup_realm any more severe than those already inherent in IP to hostname lookups? Thanks, Brian Candler. (*) The documentation for default_realm is unclear. It says: "If this is not specified and the TXT record lookup is enabled (see Using DNS), then that information will be used to determine the default realm" which implies to me that the TXT record *won't* be looked up if you define default_realm, even if dns_lookup_realm is true. However, experimentation suggests that if I have dns_lookup_realm = true, and I omit the TXT record from the DNS, then authentication doesn't work. This is with krb5 1.3.4 from CentOS 4.6 and 4.4 ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
