[Freeipa-users] FreeIPA and FQDN requirements
Simo Sorce
simo at redhat.com
Fri Aug 8 20:35:31 UTC 2014
On Fri, 2014-08-08 at 10:09 -0600, Rich Megginson wrote:
> On 08/08/2014 08:57 AM, brendan kearney wrote:
> >
> > Kerberos is dependent on A records in dns. The instance (as in
> > principal/instance at REALM) should match the A record in dns.
> >
> > There is absolutely no Kerberos dependency on hostnames being fully
> > qualified. I have all my devices named with short names and I have no
> > issues with Kerberos ticketing.
> >
> > This seems to be an artificial requirement in FreeIPA that is wrong.
> >
>
> The other hostname requirement is for TLS/SSL, for MITM checking. By
> default, when an SSL server cert is issued, the subject DN contains
> cn=fqdn as the leftmost component. clients use this fqdn to verify the
> server. That is, client knows the IP address of the server - client
> does a reverse lookup (i.e. PTR) to see if the server returned by that
> lookup matches the cn=fqdn in the server cert. This requires reverse
> lookups are configured and that the fqdn is the first name/alias returned.
This is incorrect, clients check that the name they've been told to use
matches what the certificate says is the name of the server.
PTR records are never and *should never* be used to check certificate
names or it would be absolutely trivial to MITM clients by redirecting
them to a different IP address or spoofing the PTR reply from DNS to a
certificate that is completely unrelated to the server you wanted to
connect to.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-users
mailing list