homeworld icon indicating copy to clipboard operation
homeworld copied to clipboard
verified publisher icon sipb

Use custom KRB5_CONFIG and turn off dns_canonicalize_hostname in keysystem

Open celskeggs opened this issue 7 years ago • 4 comments

We both want to:

  • isolate ourselves from the choices that our users make about configuring their systems
  • and make sure that dns_canonicalize_hostname (or at least rdns) is disabled for the sake of security and not trusting reverse DNS

as such, we should give knc a KRB5_CONFIG env variable and specify exactly what config it should use.

The main question is "what should this config look like", because it's possible that the user does want to do something with a nonstandard kerberos realm.

celskeggs avatar Jul 15 '18 03:07 celskeggs

Why would the user want to do something with a nonstandard Kerberos realm? Are we expecting people to deploy Hyades outside the context of MIT?

krawthekrow avatar Jul 15 '18 03:07 krawthekrow

We're hoping.

(though, of course, they'll probably have other issues, so we also can't expect to make everything perfectly streamlined for that use case.)

celskeggs avatar Jul 15 '18 03:07 celskeggs

If that's the case, I expect people to generally have different methods for identity verification. From my understanding of Hyades' architecture, the identity verification part is already somewhat isolated from the rest of the system -- maybe we should make it such that that component can be easily swapped out?

krawthekrow avatar Jul 15 '18 03:07 krawthekrow

Yes, that's probably a better use of time than trying to make our krb5 configuration support arbitrary domains. But we should probably actually do "neither" at this time.

celskeggs avatar Jul 15 '18 03:07 celskeggs