[Date Prev][Date Next]
Re: (ITS#5812) New option to disable SASL host canonicalization
> Howard Chu<firstname.lastname@example.org> writes:
>> Leaving aside your followup which clarified this clause: the obvious
>> point is that a Kerberos client needs to have trusted *local* data to
>> protect against this attack.
> All Kerberos clients have trusted local data. It's required by the
> Kerberos protocol; the server gives you a TGT that you can only decrypt
> using your trusted local data. So I'm not sure what you're getting at
> here. The problem with DNS canonicalization is that it allows you to
> attack clients even if those clients have trusted local data to establish
> mutual authentication with the KDC.
This is going way beyond off topic but...
The real problem is that the standard POSIX gethost/getaddr* APIs don't tell
you the confidence level of the information they return. Nor do they let you
specify a minimum acceptable confidence level when you make a query.
(Analogous to the SSFs we use in OpenLDAP.)
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/