[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Reverse Lookup Server SSL Certivicate CN

To: Quanah Gibson-Mount <quanah@stanford.edu>
Subject: Re: Reverse Lookup Server SSL Certivicate CN
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Wed, 07 Jan 2004 15:19:37 -0800
Cc: ms419@freezone.co.uk, openldap-software@OpenLDAP.org
In-reply-to: <183636595.1073487779@cadabra.stanford.edu>
References: <03DBBD20-40EE-11D8-87A2-000A95C71776@freezone.co.uk> <6.0.0.22.0.20040107132218.0410be50@127.0.0.1> <183636595.1073487779@cadabra.stanford.edu>

At 03:02 PM 1/7/2004, Quanah Gibson-Mount wrote:


>--On Wednesday, January 07, 2004 1:26 PM -0800 "Kurt D. Zeilenga" <Kurt@OpenLDAP.org> wrote:
>
>
>>>This is unlike the behavior of my customary authentication mechanism,
>>>kerberos, which performs a reverse lookup of the server's IP to locate
>>>it's principal.
>>
>>Kerberos is broken here.
>
>I don't know that I believe this is what Kerberos does.  It is true, you can include IP addresses in K5 tickets, but it is not necessary.  It is also true that you can put in a rule where a kerberos connection is only accepted when the forward and reverse lookups of a system match.  Neither of those, however, have to do with locating the kerberos principle...

I am specifically referring to validation of Kerberos tickets
using information gained through non-secured DNS.  That's broken.
DNS is easily spoofed or otherwise fooled into giving out
incorrect information.

Follow-Ups:
- Re: Reverse Lookup Server SSL Certivicate CN
  - From: Quanah Gibson-Mount <quanah@stanford.edu>

References:
- Reverse Lookup Server SSL Certivicate CN
  - From: ms419@freezone.co.uk
- Re: Reverse Lookup Server SSL Certivicate CN
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- Re: Reverse Lookup Server SSL Certivicate CN
  - From: Quanah Gibson-Mount <quanah@stanford.edu>

Prev by Date: RE: Do you have suggestions for LDAP book ?
Next by Date: Re: Reverse Lookup Server SSL Certivicate CN
Index(es):
- Chronological
- Thread