[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
default realm resolution question
Hi. i'm wondering if somebody can provide me a reference to past
discussion on the list. i'm curious: if looking up the default
realm in DNS, and the `hostname` isn't fully qualified so that
the lookup fails, why not try to expand the name?
below is a (not very artful) patch just to show you what i'm
getting at. i'm sure somebody's raised this before but i'm
curious why heimdal doesn't fall back to using a hostname look-
up to expand the local hostname as it seems MIT krb5 does. is it
a philosophical security concern?
thanks for humoring me
--buck
--- lib/krb5/get_host_realm.c.orig Wed Aug 28 09:36:57 2002
+++ lib/krb5/get_host_realm.c Fri May 23 14:22:43 2003
@@ -208,6 +208,7 @@
const char *host,
krb5_realm **realms)
{
+ krb5_error_code ret;
char hostname[MAXHOSTNAMELEN];
if (host == NULL) {
@@ -216,5 +217,18 @@
host = hostname;
}
- return krb5_get_host_realm_int (context, host, 1, realms);
+ ret = krb5_get_host_realm_int(context, host, 1, realms);
+
+ /* if we couldn't find a realm for our own hostname and it looks
+ * unqualified, try the expansion mechanism */
+ if (ret == KRB5_ERR_HOST_REALM_UNKNOWN &&
+ host == hostname &&
+ strchr(host, '.') == NULL) {
+ char *thost = NULL;
+ ret = krb5_expand_hostname_realms(context, host, &thost,
+ (char ***)realms);
+ if (ret == 0 && thost != NULL)
+ free(thost);
+ }
+ return ret;
}
--- lib/krb5/expand_hostname.c.orig Tue Sep 18 05:35:47 2001
+++ lib/krb5/expand_hostname.c Fri May 23 14:22:43 2003
@@ -140,7 +140,7 @@
return ret;
}
strlwr (*new_hostname);
- ret = krb5_get_host_realm (context, *new_hostname, realms);
+ ret = krb5_get_host_realm_int (context, *new_hostname, 1, realms);
if (ret == 0) {
freeaddrinfo (ai);
return 0;