Can ipropd-master service not do reverse DNS lookups?

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Can ipropd-master service not do reverse DNS lookups?

Adam Lewenberg
I am trying to set up iprop replication for a slave KDC running on a
container in an EC2 instance in Amazon Web Services (AWS). We are
running Heimdal 1.5.2.

When the slave ipropd-slave connects to the master, it looks like the
master is doing a reverse DNS lookup on the slave's IP address and
getting one of those long Amazon addresses (e.g.,
ec2-52-45-91-42.us-west-2.compute.amazonaws.com). It then looks for the
principal "iprop/ec2-52-45-91-42.us-west-2.compute.amazonaws.com" in its
database.

We could just make the iprop principal the slave uses be
"iprop/ec2-52-45-91-42.us-west-2.compute.amazonaws.com" but the problem
with this is that the EC2 instance our slave runs on can change its IP
address at any time due to rebuilding or redeploying.

Is there anyway to get ipropd-master NOT to do this reverse DNS lookup
and just accept the principal name as sent by the slave? For example, I
would like to create a principal "iprop/testing123" and use that instead
of one based on a hostname. (We would still require that whatever
principal was sent by the slave would need to be listed in the
/var/heimdal/slaves file.)

Thanks, Adam Lewenberg

Reply | Threaded
Open this post in threaded view
|

Re: Can ipropd-master service not do reverse DNS lookups?

Jeffrey Hutzelman
On Fri, 2017-04-07 at 12:31 -0700, Adam Lewenberg wrote:

> I am trying to set up iprop replication for a slave KDC running on a 
> container in an EC2 instance in Amazon Web Services (AWS). We are 
> running Heimdal 1.5.2.
>
> When the slave ipropd-slave connects to the master, it looks like
> the 
> master is doing a reverse DNS lookup on the slave's IP address and 
> getting one of those long Amazon addresses (e.g., 
> ec2-52-45-91-42.us-west-2.compute.amazonaws.com). It then looks for
> the 
> principal "iprop/ec2-52-45-91-42.us-west-2.compute.amazonaws.com" in
> its 
> database.

Are you sure that's what's happening?  ipropd connections are made by
the slave to the master, and the authentication runs in that direction.
The master can't just make up a principal name; it has to use the one
in the ticket actually presented by the slave.

Looking at (fairly old) code, what appears to be the case is that
ipropd-slave constructs its own client principal name by calling
krb5_sname_to_principal with a NULL hostname (which means to use the
local hostname). Unfortunately, the library persists in taking that as
license to perform forward and reverse DNS name lookups in deriving the
Kerberos principal name, despite over a decade of advice to the
contrary, including RFC4120 which states "Implementations of Kerberos
and protocols based on Kerberos MUST NOT use insecure DNS quereies to
canonicalize the hostname components of service principal names."*


So no, there's no way to avoid using a hostname. However, I believe you
should be able to suppress the reverse DNS resolution step by setting
"rdns=false" in the libdefaults section of krb5.conf. After that, it
should use whatever `hostname` returns (at least, if that's fully
qualified).


-- Jeff


(*) No, I'm not even slightly bitter over this failure of every major
Kerberos implementation to avoid what I consider to be a significant
security issue. After all, it's not like they were all there when
RFC4120 was written...

Reply | Threaded
Open this post in threaded view
|

Re: Can ipropd-master service not do reverse DNS lookups?

Adam Lewenberg


On 4/7/2017 12:55 PM, Jeffrey Hutzelman wrote:

> On Fri, 2017-04-07 at 12:31 -0700, Adam Lewenberg wrote:
>> I am trying to set up iprop replication for a slave KDC running on a
>> container in an EC2 instance in Amazon Web Services (AWS). We are
>> running Heimdal 1.5.2.
>>
>> When the slave ipropd-slave connects to the master, it looks like
>> the
>> master is doing a reverse DNS lookup on the slave's IP address and
>> getting one of those long Amazon addresses (e.g.,
>> ec2-52-45-91-42.us-west-2.compute.amazonaws.com). It then looks for
>> the
>> principal "iprop/ec2-52-45-91-42.us-west-2.compute.amazonaws.com" in
>> its
>> database.
>
> Are you sure that's what's happening?  ipropd connections are made by
> the slave to the master, and the authentication runs in that direction.
> The master can't just make up a principal name; it has to use the one
> in the ticket actually presented by the slave.
>
> Looking at (fairly old) code, what appears to be the case is that
> ipropd-slave constructs its own client principal name by calling
> krb5_sname_to_principal with a NULL hostname (which means to use the
> local hostname). Unfortunately, the library persists in taking that as
> license to perform forward and reverse DNS name lookups in deriving the
> Kerberos principal name, despite over a decade of advice to the
> contrary, including RFC4120 which states "Implementations of Kerberos
> and protocols based on Kerberos MUST NOT use insecure DNS quereies to
> canonicalize the hostname components of service principal names."*
>
>
> So no, there's no way to avoid using a hostname. However, I believe you
> should be able to suppress the reverse DNS resolution step by setting
> "rdns=false" in the libdefaults section of krb5.conf. After that, it
> should use whatever `hostname` returns (at least, if that's fully
> qualified).


Changing the hostname on the slave works. The hostname doesn't even have
to be fully-qualified.

If I want to use a non-hostname-based iprop principal I could change
hostname, start ipropd-slave, and change hostname back (this assumes
that ipropd-slave does its hostname lookup only at the start and then
never again). But this approach is very klunky.

It would be nice if I could start ipropd-slave with an option to set the
iprop principal to something other than `hostname`.

Thanks very much!

Adam Lewenberg


>
> -- Jeff
>
>
> (*) No, I'm not even slightly bitter over this failure of every major
> Kerberos implementation to avoid what I consider to be a significant
> security issue. After all, it's not like they were all there when
> RFC4120 was written...
>

Reply | Threaded
Open this post in threaded view
|

Re: Can ipropd-master service not do reverse DNS lookups?

Jeffrey Hutzelman
On Fri, 2017-04-07 at 13:41 -0700, Adam Lewenberg wrote:

> It would be nice if I could start ipropd-slave with an option to set
> the iprop principal to something other than `hostname`.

I agree, that would seem to be a useful feature. As would the ability
to set the ipropd-master service principal name, for similar reasons.

-- Jeff
Reply | Threaded
Open this post in threaded view
|

Re: Can ipropd-master service not do reverse DNS lookups?

Henry B (Hank) Hotz, CISSP-2
I thought there was already a command-line option to do that.

Yes, there is. Do an iptopd-slave —help. The option is —hostname=<what you want>. ipropd-master has the same option.

I’m looking at 7.0.1.

> On Apr 7, 2017, at 1:47 PM, Jeffrey Hutzelman <[hidden email]> wrote:
>
> On Fri, 2017-04-07 at 13:41 -0700, Adam Lewenberg wrote:
>
>> It would be nice if I could start ipropd-slave with an option to set
>> the iprop principal to something other than `hostname`.
>
> I agree, that would seem to be a useful feature. As would the ability
> to set the ipropd-master service principal name, for similar reasons.
>
> -- Jeff

Personal email.  [hidden email]



Reply | Threaded
Open this post in threaded view
|

Re: Can ipropd-master service not do reverse DNS lookups?

Adam Lewenberg


On 4/7/2017 2:01 PM, Henry B (Hank) Hotz, CISSP wrote:
> I thought there was already a command-line option to do that.
>
> Yes, there is. Do an iptopd-slave —help. The option is —hostname=<what you want>. ipropd-master has the same option.
>
> I’m looking at 7.0.1.

The --hostname option seems to work in 1.5.2 also. It's not in the
(1.5.2) man page! Thanks, Henry.

Adam


>
>> On Apr 7, 2017, at 1:47 PM, Jeffrey Hutzelman <[hidden email]> wrote:
>>
>> On Fri, 2017-04-07 at 13:41 -0700, Adam Lewenberg wrote:
>>
>>> It would be nice if I could start ipropd-slave with an option to set
>>> the iprop principal to something other than `hostname`.
>>
>> I agree, that would seem to be a useful feature. As would the ability
>> to set the ipropd-master service principal name, for similar reasons.
>>
>> -- Jeff
>
> Personal email.  [hidden email]
>
>
>

Reply | Threaded
Open this post in threaded view
|

Re: Can ipropd-master service not do reverse DNS lookups?

Henry B (Hank) Hotz, CISSP-2
One nice thing about the “help” options are that they are tied directly into the CL processing utilities so they show you what’s actually understood. You don’t need to depend on someone updating the man pages. Heimdal has been pretty good about that overall, but it depends on who’s doing the updates.

> On Apr 7, 2017, at 8:13 PM, Adam Lewenberg <[hidden email]> wrote:
>
>
> On 4/7/2017 2:01 PM, Henry B (Hank) Hotz, CISSP wrote:
>> I thought there was already a command-line option to do that.
>>
>> Yes, there is. Do an iptopd-slave —help. The option is —hostname=<what you want>. ipropd-master has the same option.
>>
>> I’m looking at 7.0.1.
>
> The --hostname option seems to work in 1.5.2 also. It's not in the (1.5.2) man page! Thanks, Henry.
>
> Adam
>
>
>>
>>> On Apr 7, 2017, at 1:47 PM, Jeffrey Hutzelman <[hidden email]> wrote:
>>>
>>> On Fri, 2017-04-07 at 13:41 -0700, Adam Lewenberg wrote:
>>>
>>>> It would be nice if I could start ipropd-slave with an option to set
>>>> the iprop principal to something other than `hostname`.
>>>
>>> I agree, that would seem to be a useful feature. As would the ability
>>> to set the ipropd-master service principal name, for similar reasons.
>>>
>>> -- Jeff
>>
>> Personal email.  [hidden email]
>>
>>
>>
>

Personal email.  [hidden email]