Add a flag to prevent all host canonicalization

If dns_canonicalize_hostname is set to false in [libdefaults],
krb5_sname_to_principal will not canonicalize the hostname using
either forward or reverse lookups.

ticket: 7703 (new)

diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst
index 6fa94e7c815cd4fa1d173a33d036896cb423a44e..ff6a861e9d43af02c61178a1ae28421f2053b981 100644 (file)
--- a/doc/admin/conf_files/krb5_conf.rst
+++ b/doc/admin/conf_files/krb5_conf.rst
@@ -185,6 +185,13 @@ The libdefaults section may contain any of the following relations:
     clients from taking advantage of new stronger enctypes when the
     libraries are upgraded.
 
+**dns_canonicalize_hostname**
+    Indicate whether name lookups will be used to canonicalize
+    hostnames for use in service principal names.  Setting this flag
+    to false can improve security by reducing reliance on DNS, but
+    means that short hostnames will not be canonicalized to
+    fully-qualified hostnames.  The default value is true.
+
 **dns_lookup_kdc**
     Indicate whether DNS SRV records should be used to locate the KDCs
     and other servers for a realm, if they are not listed in the
@@ -302,7 +309,8 @@ The libdefaults section may contain any of the following relations:
 **rdns**
     If this flag is true, reverse name lookup will be used in addition
     to forward name lookup to canonicalizing hostnames for use in
-    service principal names.  The default value is true.
+    service principal names.  If **dns_canonicalize_hostname** is set
+    to false, this flag has no effect.  The default value is true.
 
 **realm_try_domains**
     Indicate whether a host's domain components should be used to

diff --git a/src/include/k5-int.h b/src/include/k5-int.h
index 5119e66da62b7b708dbe5dd1065f7c861a72fd95..f84fbd83597be1ca92d8c73bb3af8dfc31a05959 100644 (file)
--- a/src/include/k5-int.h
+++ b/src/include/k5-int.h
@@ -207,6 +207,7 @@ typedef INT64_TYPE krb5_int64;
 #define KRB5_CONF_DISABLE                     "disable"
 #define KRB5_CONF_DISABLE_LAST_SUCCESS        "disable_last_success"
 #define KRB5_CONF_DISABLE_LOCKOUT             "disable_lockout"
+#define KRB5_CONF_DNS_CANONICALIZE_HOSTNAME   "dns_canonicalize_hostname"
 #define KRB5_CONF_DNS_LOOKUP_KDC              "dns_lookup_kdc"
 #define KRB5_CONF_DNS_LOOKUP_REALM            "dns_lookup_realm"
 #define KRB5_CONF_DNS_FALLBACK                "dns_fallback"
@@ -1175,6 +1176,7 @@ struct _krb5_context {
 
     krb5_boolean allow_weak_crypto;
     krb5_boolean ignore_acceptor_hostname;
+    krb5_boolean dns_canonicalize_hostname;
 
     krb5_trace_callback trace_callback;
     void *trace_callback_data;

diff --git a/src/lib/krb5/krb/init_ctx.c b/src/lib/krb5/krb/init_ctx.c
index 3f4aad4fd6df68cb89d6edf2feb0537f6bab0d33..252596d1425c07b54b3fa0a5f179fc633d452a07 100644 (file)
--- a/src/lib/krb5/krb/init_ctx.c
+++ b/src/lib/krb5/krb/init_ctx.c
@@ -210,6 +210,11 @@ krb5_init_context_profile(profile_t profile, krb5_flags flags,
         goto cleanup;
     ctx->ignore_acceptor_hostname = tmp;
 
+    retval = get_boolean(ctx, KRB5_CONF_DNS_CANONICALIZE_HOSTNAME, 1, &tmp);
+    if (retval)
+        goto cleanup;
+    ctx->dns_canonicalize_hostname = tmp;
+
     /* initialize the prng (not well, but passable) */
     if ((retval = krb5_c_random_os_entropy( ctx, 0, NULL)) !=0)
         goto cleanup;

diff --git a/src/lib/krb5/os/sn2princ.c b/src/lib/krb5/os/sn2princ.c
index b3de66383ed601696c939d84ee1fde87ddb1b628..86a076222d7f8cbf26547f71eccb48f1ef1c452c 100644 (file)
--- a/src/lib/krb5/os/sn2princ.c
+++ b/src/lib/krb5/os/sn2princ.c
@@ -86,7 +86,7 @@ krb5_sname_to_principal(krb5_context context, const char *hostname, const char *
 
         /* copy the hostname into non-volatile storage */
 
-        if (type == KRB5_NT_SRV_HST) {
+        if (type == KRB5_NT_SRV_HST && context->dns_canonicalize_hostname) {
             struct addrinfo *ai = NULL, hints;
             int err;
             char hnamebuf[NI_MAXHOST];