Subject: ut oh..
To: None <explorer@NetBSD.ORG>
From: Bill Sommerfeld <email@example.com>
Date: 03/22/1996 14:20:37
-----BEGIN PGP SIGNED MESSAGE-----
Fix telnet so that KerberosIV encryption works with CNAMEs:
for ip # based telnets:
get the host name via gethostbyaddr() and use the
name returned. If the call fails, keep
the numeric version and let kerberos fail.
for telnets to CNAMEs:
After the gethostbyname() has returned the correct
ip #, use it as above to get the true
name of the machine.
This is a *bad* idea.
This introduces a vulnerability to name-server based spoofing.
Since the DNS is not secure, I can pollute your cache with a CNAME
pointing at a different kerberos telnet server (either in the same
realm or in a different realm which your realm has exchanged
interrealm keys with), and make you request a secure connection to a
server other than the one you expected to.
This would be especially bad if kerberos4 telnet supported ticket
forwarding (like krb5 telnet does..)
I would strongly suggest that you print the server principal name you
actually end up using if the client pulls this stunt..
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----