We're updating the issue view to help you get more done. 

As a security-conscious user, I want to have mutual authentication which cannot be compromised by DNS spoofing

Description

Kerberos authentication typically provides mutual authentication, meaning the server is authenticated to the client as well as the client to the server. Authenticating the server has taken on increasing importance in Internet security. Unfortunately, Kerberos's mutual authentication is gravely weakened when the client depends on insecure DNS to canonicalize the server hostname.

In release 1.12 we added the ability to set dns_canonicalize_hostname=False, which closes this loophole by preventing all DNS canonicalization. But it is not enabled by default and it imposes a convenience burden on users; they cannot even take advantage of the domain search path.

One approach to mitigating this problem is described here:

http://k5wiki.kerberos.org/wiki/Projects/Trust_KDC-local_name_resolution

Status

Assignee

Unassigned

Reporter

Greg Hudson

Labels

None

Priority

Normal