On Thu, Mar 14, 2013 at 09:39:56PM -0400, Greg Hudson wrote: > On 03/14/2013 07:08 PM, Yury Sulsky wrote: > > I'm not sure I understand. The function [krb5_sname_to_principal] takes > > a candidate hostname (or calls [gethostname] if that argument is NULL), > > and performs a forward lookup using [getaddrinfo]. It then takes the > > canonical name and IP address stored in the first addrinfo record and > > checks that that DNS has a reverse mapping from that IP address to that > > canonical name, otherwise it fails. > > krb5_sname_to_principal takes whatever answer it gets from the reverse > lookup and uses that as the canonical hostname (after converting it to > lowercase and chopping off any trailing dot). There is no check to see > if that result is the same as the forward lookup. Take a look at what > happens to the remote_host variable after the getnameinfo call.
Note that Solaris krb has never used reverse lookup in krb5_sname_to_principal() and in the current source: #if !defined(DEFAULT_RDNS_LOOKUP) /* Solaris Kerberos */ #define DEFAULT_RDNS_LOOKUP 0 #endif -- Will Fiveash Oracle Solaris Software Engineer ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
