On 01/07/13 17:56, NeilBrown wrote:
> On Mon, 01 Jul 2013 12:22:22 -0400 Steve Dickson <SteveD@xxxxxxxxxx> wrote:
>
>> Sorry for getting into so late... I did an extraordinary amount
>> of travailing in June....
>>
>> On 02/06/13 21:00, Neil Brown wrote:
>>> krb5_util tries various different credential names in order to find
>>> the machine credential, not all of them use the full host name of the
>>> current host.
>>>
>>> So if getting the full host name fails, don't give up completely,
>>> still try the other options.
>>>
>>> Signed-off-by: NeilBrown <neilb@xxxxxxx>
>>> ---
>>> utils/gssd/krb5_util.c | 8 ++++++--
>>> 1 file changed, 6 insertions(+), 2 deletions(-)
>>>
>>> diff --git a/utils/gssd/krb5_util.c b/utils/gssd/krb5_util.c
>>> index 9ef80f0..5e84481 100644
>>> --- a/utils/gssd/krb5_util.c
>>> +++ b/utils/gssd/krb5_util.c
>>> @@ -825,8 +825,10 @@ find_keytab_entry(krb5_context context, krb5_keytab kt, const char *tgtname,
>>> myhostad[i+1] = 0;
>>>
>>> retval = get_full_hostname(myhostname, myhostname, sizeof(myhostname));
>>> - if (retval)
>>> - goto out;
>>> + if (retval) {
>>> + /* Don't use myhostname */
>>> + myhostname[0] = 0;
>>> + }
>>>
>>> code = krb5_get_default_realm(context, &default_realm);
>>> if (code) {
>>> @@ -883,6 +885,8 @@ find_keytab_entry(krb5_context context, krb5_keytab kt, const char *tgtname,
>>> myhostad,
>>> NULL);
>>> } else {
>>> + if (!myhostname[0])
>>> + continue;
>>> snprintf(spn, sizeof(spn), "%s/%s@%s",
>>> svcnames[j], myhostname, realm);
>>> code = krb5_build_principal_ext(context, &princ,
>>>
>>>
>> At the end of day... This patch allows the machine cred to be used when
>> there is no DNS or /etc/hosts is empty (aka getaddrinfo() fails via
>> the get_full_hostname() call).
>>
>> I'm thinking this is a good idea, but I'm a gnawing feeling this would
>> be open some type of security hole by using machine creds when they
>> should not be or they were not expected to be used...
>>
>> Am I being too paranoid???
>
> Probably, but it is a good default position nonetheless.
>
> This patch will only allow a machine credential to be used in the absence of
> an easily detected "full hostname" if a wild card machine credential is
> available. And if such is available, it seems wrong not to use it.
>
> If wildcard machine credentials were no expected to be used, it we seem
> strange to have them included in the keytab file.
>
> So I cannot see any hole.
Fair enough... Thanks!
steved.
--
To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
