Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

disable hostname canonicalization by Kerberos library #381

Closed
wants to merge 1 commit into from
Closed

disable hostname canonicalization by Kerberos library #381

wants to merge 1 commit into from

Conversation

martbab
Copy link
Contributor

@martbab martbab commented Jan 9, 2017
edited

By default, Kerberos client library attempts to canonicalize service
hostname in TGS requests. This can fail e.g. if hosts file on the client
machine references short names before FQDNs. In this case the short name
is used in TGS_REQ which KDC fails to resolve.

Since we do not (yet) support referencing hosts by their short names it
is safe to just disable this behavior in krb5.conf and use supplied
FQDNs.

https://fedorahosted.org/freeipa/ticket/6584

disable hostname canonicalization by Kerberos library
be97823 
By default, Kerberos client library attempts to canonicalize service
hostname in TGS requests. This can fail e.g. if hosts file on the client
machine references short names before FQDNs. In this case the short name
is used in TGS_REQ which KDC fails to resolve.

Since we do not (yet) support referencing hosts by their short names it
is safe to just disable this behavior in krb5.conf and use supplied
FQDNs.

https://fedorahosted.org/freeipa/ticket/6584
@tiran
Copy link
Member

tiran commented Jan 10, 2017

One Travis job was failing, I restarted it.

@tkrizek tkrizek self-assigned this Jan 11, 2017
@tkrizek
Copy link
Contributor

tkrizek commented Jan 11, 2017

Works as expected.

@tkrizek tkrizek added the ack Pull Request approved, can be merged label Jan 11, 2017
@martbab
Copy link
Contributor Author

martbab commented Jan 11, 2017

Thanks for ACK. I would like to ask @simo5 if this change is okay from krb5 point of view and does not pose any security problem for clients.

@simo5
Copy link
Contributor

simo5 commented Jan 11, 2017

@martbab this change actually improves security by avoiding a DNS lookup that could be manipulated by an attacker, however it also means some setups may break, because they depend on canonicalization to actually get the correct name, and should be documented in release notes.

@pvoborni
Copy link
Member

To not forget to update the release notes later at release, @martbab could you update the respected fields in both ticket and BZ when the patch is pushed.

@martbab
Copy link
Contributor Author

martbab commented Jan 11, 2017

@pvoborni will do.

@martbab
Copy link
Contributor Author

martbab commented Jan 11, 2017

Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/566c86a782bfd7d50938866e9f89faf56cea773f

@martbab martbab added the pushed Pull Request has already been pushed label Jan 11, 2017
@martbab martbab closed this Jan 11, 2017
This was referenced Feb 21, 2022
Open
Open
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@tkrizek tkrizek

Labels
ack Pull Request approved, can be merged pushed Pull Request has already been pushed
Projects
None yet
Milestone
No milestone
5 participants
@martbab @tiran @tkrizek @simo5 @pvoborni