[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Reverse Lookup Server SSL Certivicate CN

At 03:02 PM 1/7/2004, Quanah Gibson-Mount wrote:

>--On Wednesday, January 07, 2004 1:26 PM -0800 "Kurt D. Zeilenga" <Kurt@OpenLDAP.org> wrote:
>>>This is unlike the behavior of my customary authentication mechanism,
>>>kerberos, which performs a reverse lookup of the server's IP to locate
>>>it's principal.
>>Kerberos is broken here.
>I don't know that I believe this is what Kerberos does.  It is true, you can include IP addresses in K5 tickets, but it is not necessary.  It is also true that you can put in a rule where a kerberos connection is only accepted when the forward and reverse lookups of a system match.  Neither of those, however, have to do with locating the kerberos principle...

I am specifically referring to validation of Kerberos tickets
using information gained through non-secured DNS.  That's broken.
DNS is easily spoofed or otherwise fooled into giving out
incorrect information.