This is something I brough up at IETF72 in Dublin, Ireland.
Kerberos (in the non Microsoft world) have always used DNS map to Kerberos principals. Sam Hartman describes the issue more here: http://www.painless-security.com/blog/2008/08/krb-dns/
My idea doesn’t come from how to secure Kerberos (I already know that using DNS is bad), it comes from how to make Kerberos useful for users in the transition. Having client configuration really sucks, its horrible and a really pain to upgrade, and when you think you solved it, someone installs a old krb5.conf that “have always worked” and was ”needed for some reason I can’t remember”. The reason it worked was because they forced the client to not upgrade, and the reason is that they have a broken application that can’t do the right thing. Do I sound bitter, well, kind of.
My idea is that the realm annouces in the krb5tgt that is support referrals and all entires are populated that the clients are supposed to be allowed to use. Ie, both host/shell@EXAMPLE.COM and host/shell.example.com@EXAMPLE.COM are in the Kerberos database. So when then user types in ssh shell, the library should just ignore that.
I’ve been experimenting with Heimdal to do this and have come some futher then when I talked at IETF with regard to practical problem.
First its hard to know what realm you are going to end up in, mostly because the interactions between name selection, dns canonlisation and referrals. The old way was simple:
- host = getnamebyaddr(getaddrbyname(hosthost))
- target = { service, host } @ getrealmforhost(host)
- ticket = get-service-ticket(target)
Using what the user provided seems simple.
- target = { service, hostname } @ get-realm(client-tgt)
- ticket = get-service-ticket(target)
- if ticket == null and compat: then ticket = old-method(hostname)
- use ticket
where get-service-ticket is this:
- tgt = get-tgt(client-principal)
- service-ticket = tgs-req(tgt, target, [canon])
- if (referrals(service-tkt)): then update(target, tgt = service-ticket), goto 2
- return service-ticket
So lets say we are the user foo@FOO.COM and we want to login to
the machine shell.
shell (aka shell.foo.com) is really part of BAR.COM service and since FOO.COM’s KDC knows that, its going to return a referral.
We are getting a referrals back, and the referral say that we should go to BAR.COM and what target principal to use.
In the AD world this is simple, all SPNs are part of the global catalog, so all KDC in the forest can figure out what the user really wanted. IN a pure Kerberos enviroment, its not that simple since this helicopter-view of the worlds doesn’t exist. So in the pure environment we can’t use short names when the short name is in another realm. We can only do hostname to realm mappings. Also note that the Global catalog on spans a forest, so in the multi-forest environment, Windows KDC also resolves to mapping full names into DNS names.
So a flag in the credential cache is probably a good idea to tell the client to turn off DNS-canon, but on the other hand, if the KDC turns on this flag, it also better support referrals and have a global view for its referral world if it want to support non-fqdn types of names.
Heimdal have had server referral for quite some time now, MIT Kerberos have not (they have it in the client though).