diff options
author | Greg Hudson <ghudson@mit.edu> | 2013-09-05 18:30:02 -0400 |
---|---|---|
committer | Greg Hudson <ghudson@mit.edu> | 2013-09-06 01:02:28 -0400 |
commit | 60edb321af64081e3eb597da0256faf117c9c441 (patch) | |
tree | 698137c48805a6b3381e531ddbfcc46fe5cab73a /doc/admin/conf_files | |
parent | 9e37d01a0122904776fada43ec65425c375414d8 (diff) | |
download | krb5-60edb321af64081e3eb597da0256faf117c9c441.tar.gz krb5-60edb321af64081e3eb597da0256faf117c9c441.tar.xz krb5-60edb321af64081e3eb597da0256faf117c9c441.zip |
Add a flag to prevent all host canonicalization
If dns_canonicalize_hostname is set to false in [libdefaults],
krb5_sname_to_principal will not canonicalize the hostname using
either forward or reverse lookups.
ticket: 7703 (new)
Diffstat (limited to 'doc/admin/conf_files')
-rw-r--r-- | doc/admin/conf_files/krb5_conf.rst | 10 |
1 files changed, 9 insertions, 1 deletions
diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst index 6fa94e7c81..ff6a861e9d 100644 --- a/doc/admin/conf_files/krb5_conf.rst +++ b/doc/admin/conf_files/krb5_conf.rst @@ -185,6 +185,13 @@ The libdefaults section may contain any of the following relations: clients from taking advantage of new stronger enctypes when the libraries are upgraded. +**dns_canonicalize_hostname** + Indicate whether name lookups will be used to canonicalize + hostnames for use in service principal names. Setting this flag + to false can improve security by reducing reliance on DNS, but + means that short hostnames will not be canonicalized to + fully-qualified hostnames. The default value is true. + **dns_lookup_kdc** Indicate whether DNS SRV records should be used to locate the KDCs and other servers for a realm, if they are not listed in the @@ -302,7 +309,8 @@ The libdefaults section may contain any of the following relations: **rdns** If this flag is true, reverse name lookup will be used in addition to forward name lookup to canonicalizing hostnames for use in - service principal names. The default value is true. + service principal names. If **dns_canonicalize_hostname** is set + to false, this flag has no effect. The default value is true. **realm_try_domains** Indicate whether a host's domain components should be used to |