Bug#795380: krb5-config: default krb5.conf has other people's domains
Sure. Whatever. Feel free to close the ticket.
Bug#795380: krb5-config: default krb5.conf has other people's domains
I'm sorry. I'm still not seeing a harm here. I absolutely agree that setting a default realm to something unexpected would be problematic. However simply having a realm listed in krb5.conf doesn't have any affect unless you try to use that realm. It's not like settind the default URI for ldapsearch or adding relay configuration to main.cf. what it means is that if you try to use that realm (and the information is correct) then it will work. I'll definitely remove the cruft, because you're right that krb5-config has bitrotted a bit. However, I consider making it so that using a particular kerberos realm will *work* if a user tries to do that consistent with the principle of least surprise. If something is causing a Kerberos realm to get used unintentionally as a result of this, I'd consider that a bug, although I'd suspect it would probably not be a bug in krb5-config.
Bug#795380: krb5-config: default krb5.conf has other people's domains
Package: krb5-config
Version: 2.3
Severity: important
Our Kerberos domain is in the *.OICR.ON.CA address space. We only use it
internally with no exmployment of external entities for things like
cross-domain trust.
Yet, when we install the krb5-config package, it has a bunch of stuff
for domains we have no interest in:
[realms]
ATHENA.MIT.EDU = {
kdc = kerberos.mit.edu:88
kdc = kerberos-1.mit.edu:88
kdc = kerberos-2.mit.edu:88
admin_server = kerberos.mit.edu
default_domain = mit.edu
}
MEDIA-LAB.MIT.EDU = {
kdc = kerberos.media.mit.edu
admin_server = kerberos.media.mit.edu
}
ZONE.MIT.EDU = {
kdc = casio.mit.edu
kdc = seiko.mit.edu
admin_server = casio.mit.edu
}
MOOF.MIT.EDU = {
kdc = three-headed-dogcow.mit.edu:88
kdc = three-headed-dogcow-1.mit.edu:88
admin_server = three-headed-dogcow.mit.edu
}
CSAIL.MIT.EDU = {
kdc = kerberos-1.csail.mit.edu
kdc = kerberos-2.csail.mit.edu
admin_server = kerberos.csail.mit.edu
default_domain = csail.mit.edu
krb524_server = krb524.csail.mit.edu
}
IHTFP.ORG = {
kdc = kerberos.ihtfp.org
admin_server = kerberos.ihtfp.org
}
GNU.ORG = {
kdc = kerberos.gnu.org
kdc = kerberos-2.gnu.org
kdc = kerberos-3.gnu.org
admin_server = kerberos.gnu.org
}
1TS.ORG = {
kdc = kerberos.1ts.org
admin_server = kerberos.1ts.org
}
GRATUITOUS.ORG = {
kdc = kerberos.gratuitous.org
admin_server = kerberos.gratuitous.org
}
DOOMCOM.ORG = {
kdc = kerberos.doomcom.org
admin_server = kerberos.doomcom.org
}
ANDREW.CMU.EDU = {
kdc = kerberos.andrew.cmu.edu
kdc = kerberos2.andrew.cmu.edu
kdc = kerberos3.andrew.cmu.edu
admin_server = kerberos.andrew.cmu.edu
default_domain = andrew.cmu.edu
}
CS.CMU.EDU = {
kdc = kerberos.cs.cmu.edu
kdc = kerberos-2.srv.cs.cmu.edu
admin_server = kerberos.cs.cmu.edu
}
DEMENTIA.ORG = {
kdc = kerberos.dementix.org
kdc = kerberos2.dementix.org
admin_server = kerberos.dementix.org
}
stanford.edu = {
kdc = krb5auth1.stanford.edu
kdc = krb5auth2.stanford.edu
kdc = krb5auth3.stanford.edu
master_kdc = krb5auth1.stanford.edu
admin_server = krb5-admin.stanford.edu
default_domain = stanford.edu
}
UTORONTO.CA = {
kdc = kerberos1.utoronto.ca
kdc = kerberos2.utoronto.ca
kdc = kerberos3.utoronto.ca
admin_server = kerberos1.utoronto.ca
default_domain = utoronto.ca
}
[domain_realm]
.mit.edu = ATHENA.MIT.EDU
mit.edu = ATHENA.MIT.EDU
.media.mit.edu = MEDIA-LAB.MIT.EDU
media.mit.edu = MEDIA-LAB.MIT.EDU
.csail.mit.edu = CSAIL.MIT.EDU
csail.mit.edu = CSAIL.MIT.EDU
.whoi.edu = ATHENA.MIT.EDU
whoi.edu = ATHENA.MIT.EDU
.stanford.edu = stanford.edu
.slac.stanford.edu = SLAC.STANFORD.EDU
.toronto.edu = UTORONTO.CA
.utoronto.ca = UTORONTO.CA
Why are all of these domains in the default install of Debian? There are
even bugs (621875, 587624) for updating people's domains: why?!
Can you remove them from the template/default install?
-- System Information:
Debian Release: 7.6
APT prefers oldstable
APT policy: (500, 'oldstable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.10.9 (SMP w/4 CPU cores)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages krb5-config depends on:
ii bind9-host 1:9.8.4.dfsg.P1-6+nmu2+deb7u2
ii debconf [debconf-2.0] 1.5.49
krb5-config recommends no packages.
krb5-config suggests no packages.
-- debconf information excluded
Bug#795380: krb5-config: default krb5.conf has other people's domains
You ask to have these realms removed.
My question is what harm is done by having them there?
So, I'll admit a certain frustration that rather than answering
the questions I asked you responded with your own questions.
Fair enough: as a sysadmin, when I enter answers for package
installation, I expect the the resulting set up to reflect those answers.
When I install LDAP packages, and I enter the URI for my LDAP server/s,
I don't expect MIT's to be there or the University of Toronto's (whose
campus is physically right across the street from my office).
When I enter the smart relay for (say) Postfix, I don't expect a value
that contains the value for 1ts.org or doomcom.org in my main.cf.
Similarly when I enter my Kerberos domain, I expect it, and only it, to
be in the resulting configuration.
The harm is the violation of POLA: principle of least astonishment.
https://en.wikipedia.org/wiki/Principle_of_least_astonishment
As you say, this isn't a huge, huge deal, but as someone who works in
*.oicr.on.ca, I fail to see how it can be justified to have *.mit.edu,
*.standord.edu, *.cmu.edu, *.doomcom.org, *.gratuitous.org, *.1ts.org,
*.gnu.org, *.ihtfp.org, and *.utoronto.ca in my default configuration.
If I automate an install, I would want to pre-seed the answer to
krb5-config/default_realm and get a sane result. Having to go in an
afterwards and tweak the configuration to something that reflects our
environment should not be necessary.
If you want have examples, perhaps use example.{com,org,net} from RFC
2606/6761. At the very least, have others' commented out so they're not
live.
If you want to bump this down to wishlist, feel free.
P.S. The values that are currently present don't seem to be correct. For
example:
CSAIL.MIT.EDU = {
kdc = kerberos-1.csail.mit.edu
kdc = kerberos-2.csail.mit.edu
admin_server = kerberos.csail.mit.edu
default_domain = csail.mit.edu
krb524_server = krb524.csail.mit.edu
}
ANDREW.CMU.EDU = {
kdc = vice28.fs.andrew.cmu.edu
kdc = vice2.fs.andrew.cmu.edu
kdc = vice11.fs.andrew.cmu.edu
kdc = vice12.fs.andrew.cmu.edu
admin_server = vice28.fs.andrew.cmu.edu
default_domain = andrew.cmu.edu
}
$ dig +short -t srv _kerberos._tcp.CSAIL.MIT.EDU
0 0 88 alsatian.csail.mit.edu.
$ dig +short -t srv _kerberos._tcp.ANDREW.CMU.EDU
0 0 88 KDC-02.ANDREW.CMU.EDU.
10 0 88 PPA-KDC-01.ANDREW.CMU.EDU.
0 0 88 KDC-01.ANDREW.CMU.EDU.
Bug#795380: krb5-config: default krb5.conf has other people's domains
I own the domain magda.ca: can I get it added so that every Debian (and Ubuntu) install that uses Kerberos will have that domain in its krb5.conf? I have a couple of friends that also have domains, can they request that they be added too? What criteria is used to determine what gets added to every Kerberos-enable Debian site out there?
Bug#795380: krb5-config: default krb5.conf has other people's domains
David == David Magda david.ma...@oicr.on.ca writes: David I own the domain magda.ca: can I get it added so that every David Debian (and Ubuntu) install that uses Kerberos will have that David domain in its krb5.conf? David I have a couple of friends that also have domains, can they David request that they be added too? So, I'll admit a certain frustration that rather than answering the questions I asked you responded with your own questions. In general, if you have a realm for which SRV records in DNS will not provide adequate/sufficient information, or for which you want to get domain-realm configuration and cross-realm referrals will not produce adequate results, feel free to file a wishlist bug on krb5-config. At least until we run into problems with bogus information or so much information being included that file size is an issue, my plan would be to process such requests. Note that as far as I can tell, the impact of bogus information is purely user inconvenience, and has very little security impact.
Bug#795380: krb5-config: default krb5.conf has other people's domains
David == David Magda david.ma...@oicr.on.ca writes: David Why are all of these domains in the default install of David Debian? There are even bugs (621875, 587624) for updating David people's domains: why?! It's generally useful to have the domain-realm entries and if the realm doesn't have SRV records it's generally useful to have the realms entry. It allows a Debian user to kinit and use services in one of these realms more easily. It also makes it easier to guess the default realm of a system. You ask to have these realms removed. My question is what harm is done by having them there? The default configuration also enables SRV lookups, so when the Kerberos library encounters a realm that it doesn't know about it will already try and use it. Also, note that being in krb5.conf generally doesn't imply trust in a realm. Knowing about a realm doesn't mean you trust it to do anything. There are some routing decisions that are effected when you have credentials in a realm that has a cross-realm trust with another realm and your local krb5.conf has domain-realms sections pointing to that other realm. These routing decisions do sometimes impact trust, but again, only if you have a cross-realm trust established in the first place. Based on the description of your configuration I don't see trust or other impact to the default krb5.conf. What harm do you see?
