2017-12-14 09:57 UTC

View Issue Details Jump to Notes ]
IDProjectCategoryView StatusLast Update
0010775CentOS-6krb5public2017-11-22 15:17
Reporterlaebshade 
PrioritynormalSeveritymajorReproducibilityalways
StatusnewResolutionopen 
Product Version6.7 
Target VersionFixed in Version 
Summary0010775: krb5-libs canonicalizes hostnames for server principals breaking CNAME usage for server principals
Description
There is a regression in krb5-libs (krb5-libs-1.10.3-42z1) which makes krb5-libs unusable in the following environment:
  - Hostnames pointing to CNAMEs for server principals validates against the target of the CNAME instead of the given server principal/hostname.
Steps To ReproduceReproduction requires a working Kerberos system with a REST URL endpoint that supports authenticating via a Kerberos ticket.

Where y.a_real.url is the resolved CNAME of x.a_real.url:

1. curl -u : --negotiate -vi -H 'Content-Type:application/json' -X POST -d '{"json": [{"pay": "load"}], "message": ""}' https://x.a_real.url
2. Part of the return will contain: Server HTTP/y.a_real.url@REALM not found in Kerberos database
Additional InformationThis behavior does not exist in CentOS 5, and is enabled by default in CentOS 7 but disabled by the optional dns_canonicalize_hostname flag in krb5.conf, which the attached patch introduces.

Patch was adapted from https://github.com/krb5/krb5/commit/60edb321af64081e3eb597da0256faf117c9c441

RPMs with the attached patch applied are working as expected in testing environment across hundreds of hosts.

The patch is necessary for our company as we use hardware load balancers behind a CNAME.
TagsNo tags attached.
Attached Files
  • patch file icon krb5-dns_canonicalize_hostname.patch (4,215 bytes) 2016-04-28 03:00 -
    diff --git a/doc/admin.texinfo b/doc/admin.texinfo
    index cf39f18..03b6462 100644
    --- a/doc/admin.texinfo
    +++ b/doc/admin.texinfo
    @@ -587,6 +587,13 @@ depends on configure-time options; if none were given, the default is to
     disable this option.  If the DNS support is not compiled in, this entry
     has no effect.
     
    +@itemx dns_canonicalize_hostname
    +Indicate whether name lookups will be used to canonicalize hostnames for
    +use in service principal names. Setting this flag to false can improve 
    +security by reducing reliance on DNS but means that short hostnames will
    +not be canonicalized to fully-qualified hostnames. The default value is 
    +false.
    +
     @itemx dns_fallback
     General flag controlling the use of DNS for Kerberos information.  If
     both of the preceding options are specified, this option has no effect.
    diff --git a/doc/rst_source/krb_admins/conf_files/krb5_conf.rst b/doc/rst_source/krb_admins/conf_files/krb5_conf.rst
    index 09fa12f..a67a802 100644
    --- a/doc/rst_source/krb_admins/conf_files/krb5_conf.rst
    +++ b/doc/rst_source/krb_admins/conf_files/krb5_conf.rst
    @@ -101,6 +101,9 @@ The libdefaults section may contain any of the following relations:
     **default_tkt_enctypes**
         Identifies the supported list of session key encryption types that should be requested by the client. The format is the same as for default_tgs_enctypes. The default value for this tag is *aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-cbc-sha1 arcfour-hmac-md5 des-cbc-crc des-cbc-md5 des-cbc-md4*. 
     
    +**dns_canonicalize_hostname***
    +    Indicate whether name lookups will be used to canonicalize hostnames for use in service principal names. Setting this flag to false can improve security by reducing reliance on DNS but means that short hostnames will not be canonicalized to fully-qualified hostnames. The default value is false.
    +
     **dns_fallback**
         General flag controlling the use of DNS for Kerberos information. If both of the preceding options are specified, this option has no effect. 
     
    diff --git a/src/include/k5-int.h b/src/include/k5-int.h
    index 6bbad6b..f72d3a3 100644
    --- a/src/include/k5-int.h
    +++ b/src/include/k5-int.h
    @@ -207,6 +207,7 @@ typedef INT64_TYPE krb5_int64;
     #define KRB5_CONF_DISABLE                     "disable"
     #define KRB5_CONF_DISABLE_LAST_SUCCESS        "disable_last_success"
     #define KRB5_CONF_DISABLE_LOCKOUT             "disable_lockout"
    +#define KRB5_CONF_DNS_CANONICALIZE_HOSTNAME   "dns_canonicalize_hostname"
     #define KRB5_CONF_DNS_LOOKUP_KDC              "dns_lookup_kdc"
     #define KRB5_CONF_DNS_LOOKUP_REALM            "dns_lookup_realm"
     #define KRB5_CONF_DNS_FALLBACK                "dns_fallback"
    @@ -1480,6 +1481,7 @@ struct _krb5_context {
     
         krb5_boolean allow_weak_crypto;
         krb5_boolean ignore_acceptor_hostname;
    +    krb5_boolean dns_canonicalize_hostname;
     
         krb5_trace_callback trace_callback;
         void *trace_callback_data;
    diff --git a/src/lib/krb5/krb/init_ctx.c b/src/lib/krb5/krb/init_ctx.c
    index 059f764..f8c9ce5 100644
    --- a/src/lib/krb5/krb/init_ctx.c
    +++ b/src/lib/krb5/krb/init_ctx.c
    @@ -178,6 +178,14 @@ krb5_init_context_profile(profile_t profile, krb5_flags flags,
             goto cleanup;
         ctx->ignore_acceptor_hostname = tmp;
     
    +    /* Disables canonicalizing hostnames for service principals. */
    +    retval = profile_get_boolean(ctx->profile, KRB5_CONF_LIBDEFAULTS,
    +				 KRB5_CONF_DNS_CANONICALIZE_HOSTNAME, NULL, 1,
    +				 &tmp);
    +    if (retval)
    +     	goto cleanup;
    +    ctx->dns_canonicalize_hostname = tmp;
    +
         /* initialize the prng (not well, but passable) */
         if ((retval = krb5_c_random_os_entropy( ctx, 0, NULL)) !=0)
             goto cleanup;
    diff --git a/src/lib/krb5/os/sn2princ.c b/src/lib/krb5/os/sn2princ.c
    index f149feb..2a42445 100644
    --- a/src/lib/krb5/os/sn2princ.c
    +++ b/src/lib/krb5/os/sn2princ.c
    @@ -89,7 +89,7 @@ krb5_sname_to_principal(krb5_context context, const char *hostname, const char *
     
             /* copy the hostname into non-volatile storage */
     
    -        if (type == KRB5_NT_SRV_HST) 1
    +        if (type == KRB5_NT_SRV_HST && context->dns_canonicalize_hostname) {
                 struct addrinfo *ai = NULL, hints;
                 int err;
                 char hnamebuf[NI_MAXHOST];
    
    patch file icon krb5-dns_canonicalize_hostname.patch (4,215 bytes) 2016-04-28 03:00 +

-Relationships
+Relationships

-Notes

~0026383

laebshade (reporter)

s/server/service/g

~0028247

laebshade (reporter)

This has been cross-reported to the Redhat Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1332696

Progress has been made, and the fix is expected to be included with RHEL 6.9.

~0030636

laebshade (reporter)

Issue resolved in CentOS 6.9 per https://bugzilla.redhat.com/show_bug.cgi?id=1332696

Can someone close this issue as fixed?
+Notes

-Issue History
Date Modified Username Field Change
2016-04-28 03:00 laebshade New Issue
2016-04-28 03:00 laebshade File Added: krb5-dns_canonicalize_hostname.patch
2016-04-28 03:05 laebshade Note Added: 0026383
2016-12-29 18:56 laebshade Note Added: 0028247
2017-11-22 15:17 laebshade Note Added: 0030636
+Issue History