From geert@boskant.nl Sun Nov 16 01:07:12 2008
From: geert@boskant.nl
To: openldap-bugs@openldap.org
Subject: Re: (ITS#5812) New option to disable SASL host canonicalization
Date: Sun, 16 Nov 2008 01:07:12 +0000
Message-ID: <200811160107.mAG17CpJ048983@boole.openldap.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============6772121236956118702=="

--===============6772121236956118702==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

------=3D_Part_39674_19690948.1226797622518
Content-Type: text/plain; charset=3DUTF-8
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

On Sat, Nov 15, 2008 at 6:20 PM, Howard Chu <hyc(a)symas.com> wrote:

>
> Breaking more software to use it with already broken software is, in a
> word, stupid. The standard practice for Kerberos requires you to have
> consistent forward and reverse DNS lookups. Sysadmins who are afraid to
> administer their software should either change their software or change
> their jobs.


Well .. I don't think my patch qualifies as breaking software to work with
broken software. The patch allows OpenLDAP applications to use alternative
ways for name canonicalization. At this moment this is not possible because
OpenLDAP is hard coded to canonicalize names with reverse DNS. This means I
cannot use the option that MIT Kerberos provides me to disable this (rdns =3D
no), as host names have already been reverse mapped by OpenLDAP before they
are passed into Kerberos.

I agree with you that reverse DNS should be correct. I just mentioned the
fact that many reverse DNS setups are broken as an example of why it can be
problematic. Another reason why canonicalization based on reverse DNS is
problematic is that it requires secure DNS to be secure. RFC4120 mentions
this:

  Implementations of Kerberos and protocols based on Kerberos MUST NOT
  use insecure DNS queries to canonicalize the hostname components of
  the service principal names (i.e., they MUST NOT use insecure DNS
  queries to map one name to another to determine the host part of the
  principal name with which one is to communicate).


The same RFC recommends in fact that applications do not canonicalize host
names at all:

  To maximize interoperability and security, applications SHOULD
provide security
  mechanisms with names that result from folding the user- entered name to
  lowercase without performing any other modifications or canonicalization.


My patch implements this behaviour, as an option.

Regards,
Geert

------=3D_Part_39674_19690948.1226797622518
Content-Type: text/html; charset=3DUTF-8
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

On Sat, Nov 15, 2008 at 6:20 PM, Howard Chu <span dir=3D"ltr">&lt;<a href=3D"=
mailto:hyc(a)symas.com" target=3D"_blank">hyc(a)symas.com</a>&gt;</span> wrot=
e:<br><div class=3D"gmail_quote"><blockquote class=3D"gmail_quote" style=3D"b=
order-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-=
left: 1ex;">

<br>
Breaking more software to use it with already broken software is, in a word, =
stupid. The standard practice for Kerberos requires you to have consistent fo=
rward and reverse DNS lookups. Sysadmins who are afraid to administer their s=
oftware should either change their software or change their jobs.</blockquote>

<div><br>Well .. I don&#39;t think my patch qualifies as breaking software to=
 work with broken software. The patch allows OpenLDAP applications to use alt=
ernative ways for name canonicalization. At this moment this is not possible =
because OpenLDAP is hard coded to canonicalize names with reverse DNS. This m=
eans I cannot use the option that MIT Kerberos provides me to disable this (r=
dns =3D no), as host names have already been reverse mapped by OpenLDAP befor=
e they are passed into Kerberos.<br>
<br>I agree with you that reverse DNS should be correct. I just mentioned the=
 fact that many reverse DNS setups are broken as an example of why it can be =
problematic. Another reason why canonicalization based on reverse DNS is prob=
lematic is that it requires secure DNS to be secure. RFC4120 mentions this:<b=
r>
<br><pre>  Implementations of Kerberos and protocols based on Kerberos MUST N=
OT<br>  use insecure DNS queries to canonicalize the hostname components of<b=
r>  the service principal names (i.e., they MUST NOT use insecure DNS<br>
  queries to map one name to another to determine the host part of the<br>  p=
rincipal name with which one is to communicate). </pre><br>The same RFC recom=
mends in fact that applications do not canonicalize host names at all:<br>
<br><pre>  To maximize interoperability and security, applications SHOULD pro=
vide security<br>  mechanisms with names that result from folding the user- e=
ntered name to<br>  lowercase without performing any other modifications or c=
anonicalization.<br>
</pre><br>My patch implements this behaviour, as an option.<br><br>Regards,<b=
r>Geert</div></div><br>

------=3D_Part_39674_19690948.1226797622518--



--===============6772121236956118702==--