NetBSD Problem Report #18404
Received: (qmail 12566 invoked by uid 605); 24 Sep 2002 19:08:50 -0000
Message-Id: <20020924190849.778A311122@narn.netbsd.org>
Date: Tue, 24 Sep 2002 12:08:49 -0700 (PDT)
From: eravin@panix.com
Sender: gnats-bugs-owner@netbsd.org
Reply-To: eravin@panix.com
To: gnats-bugs@gnats.netbsd.org
Subject: /usr/bin/telnet fails to Kerberize to multi-address DNS name
X-Send-Pr-Version: www-1.0
>Number: 18404
>Category: bin
>Synopsis: /usr/bin/telnet fails to Kerberize to multi-address DNS name
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: bin-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Tue Sep 24 19:09:00 +0000 2002
>Closed-Date:
>Last-Modified: Wed Sep 25 10:11:00 +0000 2002
>Originator: Ed Ravin
>Release: 1.5.4 ALPHA (20020917)
>Organization:
Public Access Networks Corp
>Environment:
1.5.4_ALPHA NetBSD 1.5.4_ALPHA (PANIX)#0: Thu Sep 19 21:43:26 EDT 2002 root@juggler.panix.com:/devel/NO-BACKUPS/release-1.5-20020917/src/sys/arch/i386/compile/PANIX-STAFF i386
>Description:
In an otherwise working Kerberos environment, "/usr/bin/telnet -ax host" will
fail if "host" turns out to be a DNS entry with more than one IP address. MIT
telnet and C-Kermit with Kerberos support do not have this problem.
The error messages are:
$ telnet -ax shell
Trying 166.84.1.2...
Connected to shell.panix.com.
Escape character is '^]'.
[ Trying KERBEROS5 ... ]
Kerberos V5: mk_req failed (Server not found in Kerberos database)
[ Trying KERBEROS5 ... ]
Kerberos V5: mk_req failed (Server not found in Kerberos database)
[ Trying KERBEROS4 ... ]
mk_req failed: No ticket file (tf_util)
[ Trying KERBEROS4 ... ]
mk_req failed: No ticket file (tf_util)
>How-To-Repeat:
In a working Kerberos environment, set up a DNS record that expands
to multiple addresses:
$ host shell
shell.panix.com has address 166.84.1.3
shell.panix.com has address 166.84.1.1
shell.panix.com has address 166.84.1.2
then "telnet -ax shell" as shown above.
>Fix:
Workaround is to specify a DNS name that does not expand to multiple addresses,
or to specify the IP address, i.e. "telnet -ax 166.84.1.3" in the example above.
>Release-Note:
>Audit-Trail:
From: Roland Dowdeswell <elric@imrryr.org>
To: eravin@panix.com
Cc: gnats-bugs@gnats.netbsd.org
Subject: Re: bin/18404: /usr/bin/telnet fails to Kerberize to multi-address DNS name
Date: Tue, 24 Sep 2002 15:57:53 -0400
On 1032894529 seconds since the Beginning of the UNIX epoch
eravin@panix.com wrote:
>
>In an otherwise working Kerberos environment, "/usr/bin/telnet -ax host" will
>fail if "host" turns out to be a DNS entry with more than one IP address. MIT
>telnet and C-Kermit with Kerberos support do not have this problem.
>
>The error messages are:
>
>$ telnet -ax shell
>Trying 166.84.1.2...
>Connected to shell.panix.com.
>Escape character is '^]'.
>[ Trying KERBEROS5 ... ]
>Kerberos V5: mk_req failed (Server not found in Kerberos database)
>[ Trying KERBEROS5 ... ]
>Kerberos V5: mk_req failed (Server not found in Kerberos database)
I've got a krb5 realm set up here, and I don't seem to see this
problem with my multi-homed hosts. I would guess that there is a
disagreement between using forward and reverse lookups as the
authoritative source of data used to generate the name to which
telnet expects to authenticate.
Also, I'm running -current which may have different logic than that
which is in 1.5.4_ALPHA.
--
Roland Dowdeswell http://www.Imrryr.ORG/~elric/
From: "Ed Ravin" <eravin@panix.com>
To: elric@imrryr.org (Roland Dowdeswell)
Cc: eravin@panix.com, gnats-bugs@gnats.netbsd.org
Subject: Re: bin/18404: /usr/bin/telnet fails to Kerberize to multi-address DNS name
Date: Tue, 24 Sep 2002 16:03:02 -0400 (EDT)
Roland Dowdeswell writes:
>
> >Connected to shell.panix.com.
> >Escape character is '^]'.
> >[ Trying KERBEROS5 ... ]
> >Kerberos V5: mk_req failed (Server not found in Kerberos database)
> >[ Trying KERBEROS5 ... ]
> >Kerberos V5: mk_req failed (Server not found in Kerberos database)
>
> I've got a krb5 realm set up here, and I don't seem to see this
> problem with my multi-homed hosts. I would guess that there is a
> disagreement between using forward and reverse lookups as the
> authoritative source of data used to generate the name to which
> telnet expects to authenticate.
I should have clarified this in the initial report - "shell.panix.com"
expands to three different hosts, *not* one multi-homed host.
From: Roland Dowdeswell <elric@imrryr.org>
To: "Ed Ravin" <eravin@panix.com>
Cc: gnats-bugs@gnats.netbsd.org
Subject: Re: bin/18404: /usr/bin/telnet fails to Kerberize to multi-address DNS name
Date: Tue, 24 Sep 2002 16:07:43 -0400
On 1032897782 seconds since the Beginning of the UNIX epoch
"Ed Ravin" wrote:
>
>> >Kerberos V5: mk_req failed (Server not found in Kerberos database)
>> >[ Trying KERBEROS5 ... ]
>> >Kerberos V5: mk_req failed (Server not found in Kerberos database)
>I should have clarified this in the initial report - "shell.panix.com"
>expands to three different hosts, *not* one multi-homed host.
Does telnet -ax panix1.panix.com work? The error `Server not found
in Kerberos database' looks familiar in a way. I think that your
telnet is trying to authenticate to host/shell.panix.com and panix
has it set up with keys for host/panix1.panix.com only. It's just
a hunch, until we can run a few tests to narrow it down though.
--
Roland Dowdeswell http://www.Imrryr.ORG/~elric/
From: "Ed Ravin" <eravin@panix.com>
To: elric@imrryr.org (Roland Dowdeswell)
Cc: eravin@panix.com (Ed Ravin), gnats-bugs@gnats.netbsd.org
Subject: Re: bin/18404: /usr/bin/telnet fails to Kerberize to multi-address DNS name
Date: Tue, 24 Sep 2002 16:16:40 -0400 (EDT)
Roland Dowdeswell writes:
>
>
> On 1032897782 seconds since the Beginning of the UNIX epoch
> "Ed Ravin" wrote:
> >
>
> >> >Kerberos V5: mk_req failed (Server not found in Kerberos database)
> >> >[ Trying KERBEROS5 ... ]
> >> >Kerberos V5: mk_req failed (Server not found in Kerberos database)
>
> >I should have clarified this in the initial report - "shell.panix.com"
> >expands to three different hosts, *not* one multi-homed host.
>
> Does telnet -ax panix1.panix.com work? The error `Server not found
> in Kerberos database' looks familiar in a way. I think that your
> telnet is trying to authenticate to host/shell.panix.com and panix
> has it set up with keys for host/panix1.panix.com only. It's just
> a hunch, until we can run a few tests to narrow it down though.
Yes, telnet to the individual hostnames or IP addresses works fine.
And "telnet -ax shell" has worked fine for years with MIT telnet - this
only broke when we switched to NetBSD telnet :-). My guess is that
MIT telnet is canonicalizing on the IP address, so it is immune to this.
From: Roland Dowdeswell <elric@imrryr.org>
To: "Ed Ravin" <eravin@panix.com>
Cc: gnats-bugs@gnats.netbsd.org
Subject: Re: bin/18404: /usr/bin/telnet fails to Kerberize to multi-address DNS name
Date: Tue, 24 Sep 2002 16:24:17 -0400
On 1032898600 seconds since the Beginning of the UNIX epoch
"Ed Ravin" wrote:
>
>Yes, telnet to the individual hostnames or IP addresses works fine.
>And "telnet -ax shell" has worked fine for years with MIT telnet - this
>only broke when we switched to NetBSD telnet :-). My guess is that
>MIT telnet is canonicalizing on the IP address, so it is immune to this.
Yep. We should probably add a flag to telnet or perhaps an entry
in /etc/krb5.conf to suggest that it use the reverse lookup. There
are different viewpoints on this issue. In a homogenous environment,
you can set up either to work properly for this situation but if
you setup for one way only then the other way won't work.
In a NetBSD situation, you'd just put host/shell.panix.com in the
keytabs of all three hosts and it would all work properly.
So, definitely for interoperability we should implement an optional
setting to do this. I would like to suggest that we not make it
the default, however, because relying on reverse lookups is more
fragile and less secure than the current method. More fragile
because many people are not in control of their reverse resolution
for various reasons (such as me. :-) And less secure because it
is easy to spoof the reverse lookup but not possible to spoof what
I type in. That is, if I type `telnet foo.bar.com' then it makes
sense to authenticate to host/foo.bar.com@BAR.COM.
--
Roland Dowdeswell http://www.Imrryr.ORG/~elric/
From: joda@pdc.kth.se (Johan Danielsson)
To: eravin@panix.com
Cc: gnats-bugs@gnats.netbsd.org
Subject: Re: bin/18404: /usr/bin/telnet fails to Kerberize to multi-address DNS name
Date: 24 Sep 2002 22:28:20 +0200
eravin@panix.com writes:
> In an otherwise working Kerberos environment, "/usr/bin/telnet -ax
> host" will fail if "host" turns out to be a DNS entry with more than
> one IP address.
I can't repeat this. Can you find out exactly which service it asks
for (by looking in the KDC log for instance)?
/Johan
From: "Ed Ravin" <eravin@panix.com>
To: joda@pdc.kth.se (Johan Danielsson)
Cc: eravin@panix.com, gnats-bugs@gnats.netbsd.org
Subject: Re: bin/18404: /usr/bin/telnet fails to Kerberize to multi-address DNS name
Date: Tue, 24 Sep 2002 16:49:06 -0400 (EDT)
Johan Danielsson writes:
>
> eravin@panix.com writes:
> > In an otherwise working Kerberos environment, "/usr/bin/telnet -ax
> > host" will fail if "host" turns out to be a DNS entry with more than
> > one IP address.
>
> I can't repeat this. Can you find out exactly which service it asks
> for (by looking in the KDC log for instance)?
Aha:
krb5kdc[316]: TGS_REQ (3 etypes {3 2 1}): UNKNOWN_SERVER: eravin@PANIX.COM
for host/shell.panix.com@PANIX.COM, Server not found in Kerberos database
So it is looking up via the hostname, even though that hostname is not
necessarily unique to the IP address that was resolved from it. On the
other hand, C-Kermit (and presumably MIT telnet) gets an IP address
via a forward lookup, then does a reverse lookup of that IP:
$ kermit -J shell
DNS Lookup... Trying 166.84.1.2... Reverse DNS Lookup... (OK)
Authenticating with KERBEROS_V5
Remote machine has been mutually authenticated
Kerberos V5 accepts you as eravin@PANIX.COM
Output is now encrypted with type DES_CFB64
Input is now decrypted with type DES_CFB64
SECURE connection to host panix2.panix.com:23
And the KDC log shows that C-Kermit asked for the service
"host/panix2.panix.com".
FYI, these are our DNS records for "shell.panix.com":
shell 600 IN A 166.84.1.1
shell 600 IN A 166.84.1.2
shell 600 IN A 166.84.1.3
And each of those IP numbers are separate hosts, namely
panix[123].panix.com.
From: joda@pdc.kth.se (Johan Danielsson)
To: "Ed Ravin" <eravin@panix.com>
Cc: gnats-bugs@gnats.netbsd.org
Subject: Re: bin/18404: /usr/bin/telnet fails to Kerberize to multi-address DNS name
Date: 25 Sep 2002 12:10:16 +0200
"Ed Ravin" <eravin@panix.com> writes:
> So it is looking up via the hostname, even though that hostname is
> not necessarily unique to the IP address that was resolved from it.
We had some off-line discussion about this yesterday, and I think the
conclusion was that this is the correct behaviour, but that there
should be some way to make it use the reverse name.
/Johan
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.