NetBSD Problem Report #18404

Received: (qmail 12566 invoked by uid 605); 24 Sep 2002 19:08:50 -0000
Message-Id: <20020924190849.778A311122@narn.netbsd.org>
Date: Tue, 24 Sep 2002 12:08:49 -0700 (PDT)
From: eravin@panix.com
Sender: gnats-bugs-owner@netbsd.org
Reply-To: eravin@panix.com
To: gnats-bugs@gnats.netbsd.org
Subject: /usr/bin/telnet fails to Kerberize to multi-address DNS name
X-Send-Pr-Version: www-1.0

>Number:         18404
>Category:       bin
>Synopsis:       /usr/bin/telnet fails to Kerberize to multi-address DNS name
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    bin-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue Sep 24 19:09:00 +0000 2002
>Closed-Date:    
>Last-Modified:  Wed Sep 25 10:11:00 +0000 2002
>Originator:     Ed Ravin
>Release:        1.5.4 ALPHA (20020917)
>Organization:
Public Access Networks Corp
>Environment:
1.5.4_ALPHA NetBSD 1.5.4_ALPHA (PANIX)#0: Thu Sep 19 21:43:26 EDT 2002  root@juggler.panix.com:/devel/NO-BACKUPS/release-1.5-20020917/src/sys/arch/i386/compile/PANIX-STAFF i386
>Description:
In an otherwise working Kerberos environment, "/usr/bin/telnet -ax host" will
fail if "host" turns out to be a DNS entry with more than one IP address.  MIT
telnet and C-Kermit with Kerberos support do not have this problem.

The error messages are:

$ telnet -ax shell
Trying 166.84.1.2...
Connected to shell.panix.com.
Escape character is '^]'.
[ Trying KERBEROS5 ... ]
Kerberos V5: mk_req failed (Server not found in Kerberos database)
[ Trying KERBEROS5 ... ]
Kerberos V5: mk_req failed (Server not found in Kerberos database)
[ Trying KERBEROS4 ... ]
mk_req failed: No ticket file (tf_util)
[ Trying KERBEROS4 ... ]
mk_req failed: No ticket file (tf_util)


>How-To-Repeat:
In a working Kerberos environment, set up a DNS record that expands
to multiple addresses:

$ host shell
shell.panix.com has address 166.84.1.3
shell.panix.com has address 166.84.1.1
shell.panix.com has address 166.84.1.2

then "telnet -ax shell" as shown above.

>Fix:
Workaround is to specify a DNS name that does not expand to multiple addresses,
or to specify the IP address, i.e. "telnet -ax 166.84.1.3" in the example above.
>Release-Note:
>Audit-Trail:

From: Roland Dowdeswell <elric@imrryr.org>
To: eravin@panix.com
Cc: gnats-bugs@gnats.netbsd.org
Subject: Re: bin/18404: /usr/bin/telnet fails to Kerberize to multi-address DNS name 
Date: Tue, 24 Sep 2002 15:57:53 -0400

 On 1032894529 seconds since the Beginning of the UNIX epoch
 eravin@panix.com wrote:
 >

 >In an otherwise working Kerberos environment, "/usr/bin/telnet -ax host" will
 >fail if "host" turns out to be a DNS entry with more than one IP address.  MIT
 >telnet and C-Kermit with Kerberos support do not have this problem.
 >
 >The error messages are:
 >
 >$ telnet -ax shell
 >Trying 166.84.1.2...
 >Connected to shell.panix.com.
 >Escape character is '^]'.
 >[ Trying KERBEROS5 ... ]
 >Kerberos V5: mk_req failed (Server not found in Kerberos database)
 >[ Trying KERBEROS5 ... ]
 >Kerberos V5: mk_req failed (Server not found in Kerberos database)

 I've got a krb5 realm set up here, and I don't seem to see this
 problem with my multi-homed hosts.  I would guess that there is a
 disagreement between using forward and reverse lookups as the
 authoritative source of data used to generate the name to which
 telnet expects to authenticate.

 Also, I'm running -current which may have different logic than that
 which is in 1.5.4_ALPHA.

 --
     Roland Dowdeswell                      http://www.Imrryr.ORG/~elric/

From: "Ed Ravin" <eravin@panix.com>
To: elric@imrryr.org (Roland Dowdeswell)
Cc: eravin@panix.com, gnats-bugs@gnats.netbsd.org
Subject: Re: bin/18404: /usr/bin/telnet fails to Kerberize to multi-address DNS name
Date: Tue, 24 Sep 2002 16:03:02 -0400 (EDT)

 Roland Dowdeswell writes:
 > 
 > >Connected to shell.panix.com.
 > >Escape character is '^]'.
 > >[ Trying KERBEROS5 ... ]
 > >Kerberos V5: mk_req failed (Server not found in Kerberos database)
 > >[ Trying KERBEROS5 ... ]
 > >Kerberos V5: mk_req failed (Server not found in Kerberos database)
 > 
 > I've got a krb5 realm set up here, and I don't seem to see this
 > problem with my multi-homed hosts.  I would guess that there is a
 > disagreement between using forward and reverse lookups as the
 > authoritative source of data used to generate the name to which
 > telnet expects to authenticate.

 I should have clarified this in the initial report - "shell.panix.com"
 expands to three different hosts, *not* one multi-homed host.

From: Roland Dowdeswell <elric@imrryr.org>
To: "Ed Ravin" <eravin@panix.com>
Cc: gnats-bugs@gnats.netbsd.org
Subject: Re: bin/18404: /usr/bin/telnet fails to Kerberize to multi-address DNS name 
Date: Tue, 24 Sep 2002 16:07:43 -0400

 On 1032897782 seconds since the Beginning of the UNIX epoch
 "Ed Ravin" wrote:
 >

 >> >Kerberos V5: mk_req failed (Server not found in Kerberos database)
 >> >[ Trying KERBEROS5 ... ]
 >> >Kerberos V5: mk_req failed (Server not found in Kerberos database)

 >I should have clarified this in the initial report - "shell.panix.com"
 >expands to three different hosts, *not* one multi-homed host.

 Does telnet -ax panix1.panix.com work?  The error `Server not found
 in Kerberos database' looks familiar in a way.  I think that your
 telnet is trying to authenticate to host/shell.panix.com and panix
 has it set up with keys for host/panix1.panix.com only.  It's just
 a hunch, until we can run a few tests to narrow it down though.

 --
     Roland Dowdeswell                      http://www.Imrryr.ORG/~elric/

From: "Ed Ravin" <eravin@panix.com>
To: elric@imrryr.org (Roland Dowdeswell)
Cc: eravin@panix.com (Ed Ravin), gnats-bugs@gnats.netbsd.org
Subject: Re: bin/18404: /usr/bin/telnet fails to Kerberize to multi-address DNS name
Date: Tue, 24 Sep 2002 16:16:40 -0400 (EDT)

 Roland Dowdeswell writes:
 > 
 > 
 > On 1032897782 seconds since the Beginning of the UNIX epoch
 > "Ed Ravin" wrote:
 > >
 > 
 > >> >Kerberos V5: mk_req failed (Server not found in Kerberos database)
 > >> >[ Trying KERBEROS5 ... ]
 > >> >Kerberos V5: mk_req failed (Server not found in Kerberos database)
 > 
 > >I should have clarified this in the initial report - "shell.panix.com"
 > >expands to three different hosts, *not* one multi-homed host.
 > 
 > Does telnet -ax panix1.panix.com work?  The error `Server not found
 > in Kerberos database' looks familiar in a way.  I think that your
 > telnet is trying to authenticate to host/shell.panix.com and panix
 > has it set up with keys for host/panix1.panix.com only.  It's just
 > a hunch, until we can run a few tests to narrow it down though.

 Yes, telnet to the individual hostnames or IP addresses works fine.
 And "telnet -ax shell" has worked fine for years with MIT telnet - this
 only broke when we switched to NetBSD telnet :-).  My guess is that
 MIT telnet is canonicalizing on the IP address, so it is immune to this.

From: Roland Dowdeswell <elric@imrryr.org>
To: "Ed Ravin" <eravin@panix.com>
Cc: gnats-bugs@gnats.netbsd.org
Subject: Re: bin/18404: /usr/bin/telnet fails to Kerberize to multi-address DNS name 
Date: Tue, 24 Sep 2002 16:24:17 -0400

 On 1032898600 seconds since the Beginning of the UNIX epoch
 "Ed Ravin" wrote:
 >

 >Yes, telnet to the individual hostnames or IP addresses works fine.
 >And "telnet -ax shell" has worked fine for years with MIT telnet - this
 >only broke when we switched to NetBSD telnet :-).  My guess is that
 >MIT telnet is canonicalizing on the IP address, so it is immune to this.

 Yep.  We should probably add a flag to telnet or perhaps an entry
 in /etc/krb5.conf to suggest that it use the reverse lookup.  There
 are different viewpoints on this issue.  In a homogenous environment,
 you can set up either to work properly for this situation but if
 you setup for one way only then the other way won't work.

 In a NetBSD situation, you'd just put host/shell.panix.com in the
 keytabs of all three hosts and it would all work properly.

 So, definitely for interoperability we should implement an optional
 setting to do this.  I would like to suggest that we not make it
 the default, however, because relying on reverse lookups is more
 fragile and less secure than the current method.  More fragile
 because many people are not in control of their reverse resolution
 for various reasons (such as me.  :-)  And less secure because it
 is easy to spoof the reverse lookup but not possible to spoof what
 I type in.  That is, if I type `telnet foo.bar.com' then it makes
 sense to authenticate to host/foo.bar.com@BAR.COM.

 --
     Roland Dowdeswell                      http://www.Imrryr.ORG/~elric/

From: joda@pdc.kth.se (Johan Danielsson)
To: eravin@panix.com
Cc: gnats-bugs@gnats.netbsd.org
Subject: Re: bin/18404: /usr/bin/telnet fails to Kerberize to multi-address DNS name
Date: 24 Sep 2002 22:28:20 +0200

 eravin@panix.com writes:

 > In an otherwise working Kerberos environment, "/usr/bin/telnet -ax
 > host" will fail if "host" turns out to be a DNS entry with more than
 > one IP address.

 I can't repeat this. Can you find out exactly which service it asks
 for (by looking in the KDC log for instance)?

 /Johan

From: "Ed Ravin" <eravin@panix.com>
To: joda@pdc.kth.se (Johan Danielsson)
Cc: eravin@panix.com, gnats-bugs@gnats.netbsd.org
Subject: Re: bin/18404: /usr/bin/telnet fails to Kerberize to multi-address DNS name
Date: Tue, 24 Sep 2002 16:49:06 -0400 (EDT)

 Johan Danielsson writes:
 > 
 > eravin@panix.com writes:
 > > In an otherwise working Kerberos environment, "/usr/bin/telnet -ax
 > > host" will fail if "host" turns out to be a DNS entry with more than
 > > one IP address.
 > 
 > I can't repeat this. Can you find out exactly which service it asks
 > for (by looking in the KDC log for instance)?

 Aha:

   krb5kdc[316]: TGS_REQ (3 etypes {3 2 1}): UNKNOWN_SERVER: eravin@PANIX.COM
 for host/shell.panix.com@PANIX.COM, Server not found in Kerberos database

 So it is looking up via the hostname, even though that hostname is not
 necessarily unique to the IP address that was resolved from it.  On the
 other hand, C-Kermit (and presumably MIT telnet) gets an IP address
 via a forward lookup, then does a reverse lookup of that IP:

   $ kermit -J shell
    DNS Lookup...  Trying 166.84.1.2...  Reverse DNS Lookup... (OK)
   Authenticating with KERBEROS_V5
   Remote machine has been mutually authenticated
   Kerberos V5 accepts you as eravin@PANIX.COM
   Output is now encrypted with type DES_CFB64
   Input is now decrypted with type DES_CFB64
   SECURE connection to host panix2.panix.com:23

 And the KDC log shows that C-Kermit asked for the service
 "host/panix2.panix.com".

 FYI, these are our DNS records for "shell.panix.com":

   shell   600 IN  A   166.84.1.1
   shell   600 IN  A   166.84.1.2
   shell   600 IN  A   166.84.1.3

 And each of those IP numbers are separate hosts, namely
 panix[123].panix.com.

From: joda@pdc.kth.se (Johan Danielsson)
To: "Ed Ravin" <eravin@panix.com>
Cc: gnats-bugs@gnats.netbsd.org
Subject: Re: bin/18404: /usr/bin/telnet fails to Kerberize to multi-address DNS name
Date: 25 Sep 2002 12:10:16 +0200

 "Ed Ravin" <eravin@panix.com> writes:

 > So it is looking up via the hostname, even though that hostname is
 > not necessarily unique to the IP address that was resolved from it.

 We had some off-line discussion about this yesterday, and I think the
 conclusion was that this is the correct behaviour, but that there
 should be some way to make it use the reverse name.

 /Johan
>Unformatted:

NetBSD Home
NetBSD PR Database Search

(Contact us) $NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.