[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#5812) New option to disable SASL host canonicalization

rra@stanford.edu wrote:
> Howard Chu<hyc@symas.com>  writes:
>> Leaving aside your followup which clarified this clause: the obvious
>> point is that a Kerberos client needs to have trusted *local* data to
>> protect against this attack.
> All Kerberos clients have trusted local data.  It's required by the
> Kerberos protocol; the server gives you a TGT that you can only decrypt
> using your trusted local data.  So I'm not sure what you're getting at
> here.  The problem with DNS canonicalization is that it allows you to
> attack clients even if those clients have trusted local data to establish
> mutual authentication with the KDC.

This is going way beyond off topic but...

The real problem is that the standard POSIX gethost/getaddr* APIs don't tell 
you the confidence level of the information they return. Nor do they let you 
specify a minimum acceptable confidence level when you make a query. 
(Analogous to the SSFs we use in OpenLDAP.)

   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/