[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: [authmeth] secure derivations of server hostname

To: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Subject: Re: [authmeth] secure derivations of server hostname
From: Michael Ströder <michael@stroeder.com>
Date: Mon, 30 Jun 2003 22:43:28 +0200
Cc: ietf-ldapbis@OpenLDAP.org
In-reply-to: <5.2.0.9.0.20030630132208.01c6c9d8@127.0.0.1>
References: <5.2.0.9.0.20030630113902.01d17260@127.0.0.1> <seffc8fc.057@prv-mail20.provo.novell.com> <seffc8fc.057@prv-mail20.provo.novell.com> <5.2.0.9.0.20030630113902.01d17260@127.0.0.1> <5.2.0.9.0.20030630132208.01c6c9d8@127.0.0.1>
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.3.1) Gecko/20030425

Kurt D. Zeilenga wrote:

At 12:53 PM 6/30/2003, Michael Ströder wrote:

Kurt D. Zeilenga wrote:

I'll give two examples.
1) a client could derive a hostname from "localhost" in a secure fashion.

How?

By use of gethostname(3) or the like.

Note that on most systems localhost is rarely the same like the machine's host name.

E.g. on a Linux box the interface lo (loopback-device) with IP addr 127.0.0.1 and name localhost is definitely something different than eth0 with different IP addr assigned matching the machine's host name.

And not every service binds to all available interface when running on a machine.

I see some risks when relaxing the host name check.

Ciao, Michael.

Follow-Ups:
- Re: [authmeth] secure derivations of server hostname
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

References:
- Re: [authmeth] secure derivations of server hostname
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- Re: [authmeth] secure derivations of server hostname
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

Prev by Date: Re: [authmeth] secure derivations of server hostname
Next by Date: Re: [authmeth] secure derivations of server hostname
Index(es):
- Chronological
- Thread