Bug#532536: libgssapi-krb5: krb5_gss_acquire_cred resolves forward/reverse DNS but doesn't properly handles multiple search domains

2009-06-10 Thread Michael Stapelberg 
Hi Sam,

Thanks for your quick reply.

* [10.06.09 01:13]:
 Gss calls gss_import_name (lib/gssapi/krb5/import_name.c) and that
 calls krb5_sname_to_principal (src/lib/krb5/os/sn2princ.c) which is
 almost certainly your problem.
 
 However I think that just calls getaddrinfo and getnameinfo so I
 suspect something strange is going on here.
It calls getaddrinfo with ai_flags = AI_CANONNAME and ai_family = AF_INET,
which seems to be the problem. The resolver apparantly retries until it finds
a canonical name for the AF_INET family. As bar.foo.net has only an AF_INET6
record, it will be skipped.

Changing hints.ai_family to 0, it works. I’m not sure why you don’t do that by
default? There is some code below, which, in case of an error when resolving,
does exactly that and retries the whole process. However, the error won’t be
triggered since I got the fallback-host bar.foo.lan, as mentioned.

Best regards,
Michael


signature.asc
Description: Digital signature

Bug#532536: libgssapi-krb5: krb5_gss_acquire_cred resolves forward/reverse DNS but doesn't properly handles multiple search domains

2009-06-10 Thread Sam Hartman 
I'll ask the person responsible for that.  I'm guessing there exists
some platform somewhere that does the wrong thing with af_family = 0.

I'm also hoping that we can move past that now.
I'm guessing that an svn blame would suggest that code is old.



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#532536: libgssapi-krb5: krb5_gss_acquire_cred resolves forward/reverse DNS but doesn't properly handles multiple search domains

2009-06-09 Thread Michael Stapelberg 
Package: libgssapi-krb5-2
Version: 1.6.dfsg.4~beta1-13
Severity: important

On my system, resolv.conf looks like this:
domain foo.net
search foo.net foo.lan
nameserver 192.168.1.1

Now, my hostname is bar.foo.net (as hostname --fqdn spits out properly). I 
tried to
kerberize sshd and got some weird effect: Only when I removed foo.lan from the 
search
domains, it worked. This is reproducable with a little kerberos server/client 
program
I found at apple: 
http://developer.apple.com/SampleCode/KerberosGSS/KerberosGSS.zip
(Start with ./gssserver -s foo to make it call krb5_gss_acquire_cred.)

strace'ing revealed that libgssapi-krb5 is first resolving bar.foo.net, then 
bar.foo.lan,
then reverse(bar.foo.lan) and then takes this as hostname for the realm.

To give a bit of background info why this setup is necessary:
bar.foo.net is a public domain with a public DNS, containing exactly one  
record
which is updated to whereever the computer is at the moment (notebook).

bar.foo.lan is an internal domain at an internal DNS, containing a A record and 
an 
record. This DNS is internal because most part of it is behind a NAT and thus 
un-
interesting for the rest of the world. Additionally, it needs to be updated by 
other
people in-house which should not get access to the public DNS infrastructure.

Regardless of the sense or nonsense of this setup, resolving should stop at the 
first
match, that is, bar.foo.net with its  record.

In sshd, the problem can be worked around by using GSSAPIStrictAcceptorCheck 
no. I
have not yet tested other programs but I think they might not all have such a 
workaround
and might break, thus I filed this bug with severity: important.

Unfortunately I wasn’t able to find the code which does the resolving itself or 
I would
have sent a patch. Please enlighten me.

-- System Information:
Debian Release: squeeze/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.29.1-midna-2 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages libgssapi-krb5-2 depends on:
ii  libc62.9-12  GNU C Library: Shared libraries
ii  libcomerr2   1.41.3-1common error description library
ii  libk5crypto3 1.6.dfsg.4~beta1-13 MIT Kerberos runtime libraries - C
ii  libkeyutils1 1.2-10  Linux Key Management Utilities (li
ii  libkrb5-31.6.dfsg.4~beta1-13 MIT Kerberos runtime libraries
ii  libkrb5support0  1.6.dfsg.4~beta1-13 MIT Kerberos runtime libraries - S

libgssapi-krb5-2 recommends no packages.

Versions of packages libgssapi-krb5-2 suggests:
ii  krb5-doc 1.6.dfsg.4~beta1-13 Documentation for MIT Kerberos
pn  krb5-usernone  (no description available)

-- no debconf information



--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#532536: libgssapi-krb5: krb5_gss_acquire_cred resolves forward/reverse DNS but doesn't properly handles multiple search domains

2009-06-09 Thread Sam Hartman 
This is strange.  So, the reverse resolution behavior is intentional
(and highly broken--it's a long story) but can be disable by setting
rdns=true in the libdefaults section of krb5.conf.

Gss calls gss_import_name (lib/gssapi/krb5/import_name.c) and that
calls krb5_sname_to_principal (src/lib/krb5/os/sn2princ.c) which is
almost certainly your problem.

However I think that just calls getaddrinfo and getnameinfo so I
suspect something strange is going on here.



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org