Groups | Search | Server Info | Login | Register

Groups > comp.protocols.kerberos > #5399

Re: Strange behavior with mixed case host name/principal

Show all headers | View raw

Ken, thank you for the fast response.

Your answer almost fulfills my request. I'll incorporate extra checks
in our playbooks to strict hostname cases.

One small splinter will remain: why kerberos lib indicates error with
exact host principal name that it has in keytab.

p.s. My old RHEL 7.9 setup also doesn't have this problem: it
lowercase hostname before requests for tickets.

On Fri, Apr 18, 2025 at 8:30 PM Ken Hornstein <kenh@cmf.nrl.navy.mil> wrote:
>
> >Workarounds with sshd_conf
> >GSSAPIStrictAcceptorCheck no
> >or krb5.conf
> >ignore_acceptor_hostname = true
> >work well, but I want to keep a strict hostname check.
>
> Why, exactly?  There are a few multi-homed situations where this
> can cause security issues but I don't think they apply here.
>
> There aren't wonderful solutions for this situation other than turning
> off strict acceptor checking.  The DNS is case-PRESERVING, but
> case-insensitive in lookup, so "SERVER" and "server" are treated as
> being identical when it comes to hostname lookup.  RFC 4120 recommends
> folding names to lowercase; that happens sometimes based on a particular
> Kerberos implementation (in MIT Kerberos that happens when the hostname
> is canonicalized in the function krb5_sname_to_principal() which is
> called by most higher-level APIs such as the GSSAPI).
>
> --Ken



-- 
Наилучшие пожелания,
Джафар Алиев
http://jafar.ru

Back to comp.protocols.kerberos | Previous | Next | Find similar

Thread

Re: Strange behavior with mixed case host name/principal Jafar Aliev <tubecleaner@gmail.com> - 2025-04-18 21:25 +0300

csiph-web