SYNOPSIS

#include <shishi.h>

char * shishi_realm_for_server_dns(Shishi * handle, char * server);

ARGUMENTS

Shishi * handle

Shishi library handle create by shishi_init().

char * server

hostname to find realm for.

DESCRIPTION

Find realm for a host using DNS lookups, according to draft-ietf-krb-wg-krb-dns-locate-03.txt. Since DNS lookups may be spoofed, relying on the realm information may result in a redirection attack. In a single-realm scenario, this only achieves a denial of service, but with cross-realm trust it may redirect you to a compromised realm. For this reason, Shishi prints a warning, suggesting that the user should add the proper 'server-realm' configuration tokens instead.

To illustrate the DNS information used, here is an extract from a zone file for the domain ASDF.COM:

_kerberos.asdf.com. IN TXT "ASDF.COM" _kerberos.mrkserver.asdf.com. IN TXT "MARKETING.ASDF.COM" _kerberos.salesserver.asdf.com. IN TXT "SALES.ASDF.COM"

Let us suppose that in this case, a client wishes to use a service on the host foo.asdf.com. It would first query:

_kerberos.foo.asdf.com. IN TXT

Finding no match, it would then query:

_kerberos.asdf.com. IN TXT

RETURN VALUE

Returns realm for host, or NULL if not found.

REPORTING BUGS

Report bugs to <[email protected]>.

COPYRIGHT

Copyright © 2002-2010 Simon Josefsson.
Copying and distribution of this file, with or without modification, are permitted in any medium without royalty provided the copyright notice and this notice are preserved.