[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#5812) New option to disable SASL host canonicalization

Geert Jansen wrote:
> Well .. I don't think my patch qualifies as breaking software to work
> with broken software. The patch allows OpenLDAP applications to use
> alternative ways for name canonicalization. At this moment this is not
> possible because OpenLDAP is hard coded to canonicalize names with
> reverse DNS. This means I cannot use the option that MIT Kerberos
> provides me to disable this (rdns = no), as host names have already been
> reverse mapped by OpenLDAP before they are passed into Kerberos.
> I agree with you that reverse DNS should be correct. I just mentioned
> the fact that many reverse DNS setups are broken as an example of why it
> can be problematic.

The fact that many environments are misconfigured is not a good reason to 
change the current behavior.

> Another reason why canonicalization based on reverse
> DNS is problematic is that it requires secure DNS to be secure. RFC4120
> mentions this:

That is completely irrelevant. If a given site has a misconfigured DNS, 
whether or not it uses integrity or privacy checks on the DNS service, it is 
still misconfigured.

>    Implementations of Kerberos and protocols based on Kerberos MUST NOT
>    use insecure DNS queries to canonicalize the hostname components of
>    the service principal names (i.e., they MUST NOT use insecure DNS
>    queries to map one name to another to determine the host part of the
>    principal name with which one is to communicate).

> The same RFC recommends in fact that applications do not canonicalize
> host names at all:
>    To maximize interoperability and security, applications SHOULD provide security
>    mechanisms with names that result from folding the user- entered name to
>    lowercase without performing any other modifications or canonicalization.

Wishful thinking; that recommendation is at least 15 years too late and the 
majority of Kerberized software isn't going to change to accommodate it.

In the meantime, the arguments about secure DNS are pure red herrings:
   1. if your DNS has been hijacked, it's most likely that you'll be directed 
to a rogue KDC first, so the question of which service you're talking to is moot.
   2. there's nothing to gain from directing you to a rogue service, since if 
you managed to contact the legitimate KDC, you're going to have a service 
ticket that can only be decoded by the legitimate service principal.
   On the other hand, if the rogue service is actually a valid principal in 
your trusted KDC's database, then you clearly have an administrative problem 
in your KDC.

This patch attempts to provide a band-aid without actually solving the real 
problem. It merely masks the problem temporarily, until it gets even worse.

This request is akin to asking for "schemachecking off" to be resurrected. 
This sort of feature is always requested because of an existing mistake, and 
allowing it only compounds the mistake further. We should never make it easier 
for admins to make and ignore mistakes.
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/