diff options
-rw-r--r-- | doc/admin/conf_files/krb5_conf.rst | 10 | ||||
-rw-r--r-- | src/include/k5-int.h | 2 | ||||
-rw-r--r-- | src/lib/krb5/krb/init_ctx.c | 5 | ||||
-rw-r--r-- | src/lib/krb5/os/sn2princ.c | 2 |
4 files changed, 17 insertions, 2 deletions
diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst index 6fa94e7c81..ff6a861e9d 100644 --- a/doc/admin/conf_files/krb5_conf.rst +++ b/doc/admin/conf_files/krb5_conf.rst @@ -185,6 +185,13 @@ The libdefaults section may contain any of the following relations: clients from taking advantage of new stronger enctypes when the libraries are upgraded. +**dns_canonicalize_hostname** + Indicate whether name lookups will be used to canonicalize + hostnames for use in service principal names. Setting this flag + to false can improve security by reducing reliance on DNS, but + means that short hostnames will not be canonicalized to + fully-qualified hostnames. The default value is true. + **dns_lookup_kdc** Indicate whether DNS SRV records should be used to locate the KDCs and other servers for a realm, if they are not listed in the @@ -302,7 +309,8 @@ The libdefaults section may contain any of the following relations: **rdns** If this flag is true, reverse name lookup will be used in addition to forward name lookup to canonicalizing hostnames for use in - service principal names. The default value is true. + service principal names. If **dns_canonicalize_hostname** is set + to false, this flag has no effect. The default value is true. **realm_try_domains** Indicate whether a host's domain components should be used to diff --git a/src/include/k5-int.h b/src/include/k5-int.h index 5119e66da6..f84fbd8359 100644 --- a/src/include/k5-int.h +++ b/src/include/k5-int.h @@ -207,6 +207,7 @@ typedef INT64_TYPE krb5_int64; #define KRB5_CONF_DISABLE "disable" #define KRB5_CONF_DISABLE_LAST_SUCCESS "disable_last_success" #define KRB5_CONF_DISABLE_LOCKOUT "disable_lockout" +#define KRB5_CONF_DNS_CANONICALIZE_HOSTNAME "dns_canonicalize_hostname" #define KRB5_CONF_DNS_LOOKUP_KDC "dns_lookup_kdc" #define KRB5_CONF_DNS_LOOKUP_REALM "dns_lookup_realm" #define KRB5_CONF_DNS_FALLBACK "dns_fallback" @@ -1175,6 +1176,7 @@ struct _krb5_context { krb5_boolean allow_weak_crypto; krb5_boolean ignore_acceptor_hostname; + krb5_boolean dns_canonicalize_hostname; krb5_trace_callback trace_callback; void *trace_callback_data; diff --git a/src/lib/krb5/krb/init_ctx.c b/src/lib/krb5/krb/init_ctx.c index 3f4aad4fd6..252596d142 100644 --- a/src/lib/krb5/krb/init_ctx.c +++ b/src/lib/krb5/krb/init_ctx.c @@ -210,6 +210,11 @@ krb5_init_context_profile(profile_t profile, krb5_flags flags, goto cleanup; ctx->ignore_acceptor_hostname = tmp; + retval = get_boolean(ctx, KRB5_CONF_DNS_CANONICALIZE_HOSTNAME, 1, &tmp); + if (retval) + goto cleanup; + ctx->dns_canonicalize_hostname = tmp; + /* initialize the prng (not well, but passable) */ if ((retval = krb5_c_random_os_entropy( ctx, 0, NULL)) !=0) goto cleanup; diff --git a/src/lib/krb5/os/sn2princ.c b/src/lib/krb5/os/sn2princ.c index b3de66383e..86a076222d 100644 --- a/src/lib/krb5/os/sn2princ.c +++ b/src/lib/krb5/os/sn2princ.c @@ -86,7 +86,7 @@ krb5_sname_to_principal(krb5_context context, const char *hostname, const char * /* copy the hostname into non-volatile storage */ - if (type == KRB5_NT_SRV_HST) { + if (type == KRB5_NT_SRV_HST && context->dns_canonicalize_hostname) { struct addrinfo *ai = NULL, hints; int err; char hnamebuf[NI_MAXHOST]; |