cURL / Mailing Lists / curl-library / Single Mail

curl-library

Curl_sasl_build_spn does not do rDNS lookup when forming SPN

From: Wenlong Dong <wdong87_at_gmail.com>
Date: Sat, 17 Oct 2015 17:03:01 -0700

Hi,

When Curl forms the service principal given the service name, it simply
formats the service principal name with "<service_name>/<host_name>" in
Curl_sasl_build_spn. The "<host_name>" is basically the host name part of
the URL. So if the host name is an IP address, the SPN would be wrong
according to the following doc:
http://web.mit.edu/kerberos/krb5-1.5/krb5-1.5.4/doc/krb5-user/What-is-a-Kerberos-Principal_003f.html
>> In the case of a host, the instance is the fully qualified hostname,
e.g., daffodil.mit.edu.

Because of this, the kerberos ticket generated by KDC is unusable by the
service. What's worse is that JDK would pass on calling
GSSContext.acceptSecContext() silently but in fact it could not even get
the client's principal name. This affects SPNEGO scenario for libcurl.

Could libcurl perform a reverse DNS lookup to get the fully qualified
hostname?

Thanks,
Bill

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2015-10-18

This message: [ Message body ]
Next message: Dan Fandrich: "Re: fread_func: move callback pointer from set to state struct"
Previous message: Daniel Stenberg: "Re: [PATCH] Support for Mozilla's Public Suffix List"
Next in thread: Isaac Boukris: "Re: Curl_sasl_build_spn does not do rDNS lookup when forming SPN"
Reply: Isaac Boukris: "Re: Curl_sasl_build_spn does not do rDNS lookup when forming SPN"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]