shishi_realm_for_server_dns(3)
NAME
shishi_realm_for_server_dns - API function
SYNOPSIS
#include <shishi.h> char * shishi_realm_for_server_dns(Shishi * handle, char * server);
ARGUMENTS
- Shishi * handle
- Shishi library handle create by shishi_init().
- char * server
- hostname to find realm for.
DESCRIPTION
Find realm for a host using DNS lookups, according to
draft-ietf-krb-wg-krb-dns-locate-03.txt. Since DNS lookups may be
spoofed, relying on the realm information may result in a redirection
attack. In a single-realm scenario, this only achieves a denial of
service, but with cross-realm trust it may redirect you to a compromised realm. For this reason, Shishi prints a warning, suggesting that
the user should add the proper 'server-realm' configuration tokens
instead.
To illustrate the DNS information used, here is an extract from a zone
file for the domain ASDF.COM:
_kerberos.asdf.com. IN TXT "ASDF.COM" _kerberos.mrkserver.asdf.com. IN TXT "MARKETING.ASDF.COM" _kerberos.salesserver.asdf.com. IN TXT "SALES.ASDF.COM"
Let us suppose that in this case, a client wishes to use a service on
the host foo.asdf.com. It would first query:
_kerberos.foo.asdf.com. IN TXT
Finding no match, it would then query:
_kerberos.asdf.com. IN TXT
RETURN VALUE
Returns realm for host, or NULL if not found.
REPORTING BUGS
Report bugs to <bug-shishi@josefsson.org>.
COPYRIGHT
Copyright © 2002-2008 Simon Josefsson.
Permission is granted to make and distribute verbatim copies of this
manual provided the copyright notice and this permission notice are
preserved on all copies.
SEE ALSO
- The full documentation for shishi is maintained as a Texinfo manual.
If the info and shishi programs are properly installed at your site,
the command
- info shishi
- should give you access to the complete manual.