cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: Curl_sasl_build_spn does not do rDNS lookup when forming SPN

From: Wenlong Dong <wdong87_at_gmail.com>
Date: Mon, 19 Oct 2015 13:21:14 -0700

Isaac and all,

Does gssapi or libcurl allow per session setting for rdns lookup? Changing
the rdns setting in machine-level krb5.conf has quite some impact normally.

Thanks,
Bill

On Sun, Oct 18, 2015 at 2:35 PM, Isaac Boukris <iboukris_at_gmail.com> wrote:

>
> On Oct 19, 2015 12:20 AM, "Wenlong Dong" <wdong87_at_gmail.com> wrote:
> >
> > Yeah, that works! Isaac, thanks a lot! Just curious, is this the right
> to do this or should libcurl explicitly does the rnds lookup? The spn name
> with the ip address is not a valid name anyway I guess.
>
> I think the gssapi library is a better place for name canonization.
>
> > On Sun, Oct 18, 2015 at 2:12 AM, Isaac Boukris <iboukris_at_gmail.com>
> wrote:
> >>
> >> Hi,
> >>
> >> On Sun, Oct 18, 2015 at 3:03 AM, Wenlong Dong <wdong87_at_gmail.com>
> wrote:
> >> > Hi,
> >> >
> >> > When Curl forms the service principal given the service name, it
> simply
> >> > formats the service principal name with "<service_name>/<host_name>"
> in
> >> > Curl_sasl_build_spn. The "<host_name>" is basically the host name
> part of
> >> > the URL. So if the host name is an IP address, the SPN would be wrong
> >> > according to the following doc:
> >> >
> http://web.mit.edu/kerberos/krb5-1.5/krb5-1.5.4/doc/krb5-user/What-is-a-Kerberos-Principal_003f.html
> >> >>> In the case of a host, the instance is the fully qualified hostname,
> >> >>> e.g., daffodil.mit.edu.
> >> >
> >> > Because of this, the kerberos ticket generated by KDC is unusable by
> the
> >> > service. What's worse is that JDK would pass on calling
> >> > GSSContext.acceptSecContext() silently but in fact it could not even
> get the
> >> > client's principal name. This affects SPNEGO scenario for libcurl.
> >> >
> >> > Could libcurl perform a reverse DNS lookup to get the fully qualified
> >> > hostname?
> >>
> >> I think you might be able to achieve this at the KRB library level
> >> ('rdns=true' under 'libdefaults' in 'krb5.conf').
> >>
> >> HTH
>
> -------------------------------------------------------------------
> List admin: http://cool.haxx.se/list/listinfo/curl-library
> Etiquette: http://curl.haxx.se/mail/etiquette.html
>

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2015-10-19