[Freeipa-users] FreeIPA and FQDN requirements
Rich Megginson
rmeggins at redhat.com
Fri Aug 8 20:39:54 UTC 2014
On 08/08/2014 02:35 PM, Simo Sorce wrote:
> On Fri, 2014-08-08 at 10:09 -0600, Rich Megginson wrote:
>> On 08/08/2014 08:57 AM, brendan kearney wrote:
>>> Kerberos is dependent on A records in dns. The instance (as in
>>> principal/instance at REALM) should match the A record in dns.
>>>
>>> There is absolutely no Kerberos dependency on hostnames being fully
>>> qualified. I have all my devices named with short names and I have no
>>> issues with Kerberos ticketing.
>>>
>>> This seems to be an artificial requirement in FreeIPA that is wrong.
>>>
>> The other hostname requirement is for TLS/SSL, for MITM checking. By
>> default, when an SSL server cert is issued, the subject DN contains
>> cn=fqdn as the leftmost component. clients use this fqdn to verify the
>> server. That is, client knows the IP address of the server - client
>> does a reverse lookup (i.e. PTR) to see if the server returned by that
>> lookup matches the cn=fqdn in the server cert. This requires reverse
>> lookups are configured and that the fqdn is the first name/alias returned.
> This is incorrect, clients check that the name they've been told to use
> matches what the certificate says is the name of the server.
>
> PTR records are never and *should never* be used to check certificate
> names or it would be absolutely trivial to MITM clients by redirecting
> them to a different IP address or spoofing the PTR reply from DNS to a
> certificate that is completely unrelated to the server you wanted to
> connect to.
Sorry. Yes, you are correct. The TLS/SSL client does not do a PTR
lookup, it does an A/AAAA lookup of the host specified in the server
cert subject DN, then sees if that IP address matches the IP address of
the server from the network connection.
>
> Simo.
>
More information about the Freeipa-users
mailing list