Re: Heimdal and IPv6

To: tech-security%netbsd.org@localhost
Subject: Re: Heimdal and IPv6
From: tmp+nbsec%disfinite.org@localhost (T. M. Pederson)
Date: Sat, 25 Oct 2008 16:32:35 -0500

On "Sat, 25 Oct 2008 16:27:38 +0100",
Roy Marples <roy%marples.name@localhost> wrote:

>Hi List
>
>I've installed NetBSD-4.99.73 on an AMD64 server, correctly configured
>as an IPv4 and IPv6 gateway.
>
>As Heimdal comes in the base system, I played around a little and have
>it working sweet except for one details - kerberos fails over IPv6
>
>$ telnet -ax ip6.marples.name
>Trying fee1::209:5bff:fe84:887d...
>Connected to ip6.marples.name.
>Escape character is '^]'.
>[ Trying KERBEROS5 ... ]
>[ Kerberos V5 refuses authentication because Read req failed: Key table
>entry not found ]

I'm guessing here that "ip6.marples.name" isn't the actual hostname of
the host in question, and that the name used over IPv4 is. If this is
the case, then this is normal behavior for Kerberos. With Kerberos (or
at least all of the variants I've worked with) a host has One True
Name and it should point to all the A and AAAA addresses for that
machine that the kerberized apps listen on.

># ktutil l
>FILE:/etc/krb5.keytab:
>
>Vno  Type                     Principal
>  1  des-cbc-md5              host/ip6.marples.name%MARPLES.NAME@localhost
>  1  des-cbc-md4              host/ip6.marples.name%MARPLES.NAME@localhost
>  1  des-cbc-crc              host/ip6.marples.name%MARPLES.NAME@localhost
>  1  aes256-cts-hmac-sha1-96  host/ip6.marples.name%MARPLES.NAME@localhost
>  1  des3-cbc-sha1            host/ip6.marples.name%MARPLES.NAME@localhost
>  1  arcfour-hmac-md5         host/ip6.marples.name%MARPLES.NAME@localhost
>
>$ host ip6.marples.name
>ip6.marples.name has IPv6 address fee1::209:5bff:fe84:887d
>$ host fee1::209:5bff:fe84:887d
>d.7.8.8.4.8.e.f.f.f.b.5.9.0.2.0.0.0.0.0.0.0.0.0.0.0.0.0.1.e.e.f.ip6.arpa
>domain name pointer ip6.marples.name.

This looks like the problem. The host lookup of the hostname should
return all addresses for the machine. And the lookup of each address
needs to return the hostname of the machine. If you're looking up an
alternate name for the host, it should be okay with it returning
only one or some of the addresses, but each address must reverse
lookup to the actual hostname.

>Adding the principle host/fee1::209:5bff:fe84:887d then gives
>[ Kerberos V5 refuses authentication because Read req failed: Decrypt
>integrity check failed ]

This is expected; host only works with names, not addresses.

>Any ideas?

Change the reverse lookups to point to the actual hostname and add the
rest of the A and AAAA records to the actual hostname's entry.

Also, if you've done any redundant records in /etc/hosts, make sure
they agree.

>Worth filing a PR?

Doubt it. This seems more like something that should go in the
configuration notes.

References:
- Heimdal and IPv6
  - From: Roy Marples

Prev by Date: Heimdal and IPv6
Next by Date: Updated Security Advisory Available: 2008-009 BIND cache poisoning
Previous by Thread: Heimdal and IPv6
Next by Thread: NetBSD Security Advisory 2008-013: IPv6 Neighbor Discovery Protocol
Indexes:

Home | Main Index | Thread Index | Old Index