Bug#573596: [rt.cpan.org #58478] SASL-related host canonicalisation misfeature

Russ Allbery rra at debian.org
Sat Jun 19 18:00:18 UTC 2010 

Russ Allbery <rra at debian.org> writes:
> Dominic Hargreaves <dom at earth.li> writes:

>> And just to make explicit, there is a suggested improvement in the
>> Debian BTS:

>>     # If we're talking to a round-robin, the canonical name of
>>     # the host we are talking to might not match the name we
>>     # requested
>>     my $connected_ip = $ldap->{net_ldap_socket}->peeraddr;
>>     my $connected_domain = $ldap->{net_ldap_socket}->sockdomain;
>>     my $connected_name = gethostbyaddr($connected_ip, $connected_domain);
>>     $connected_name ||= $ldap->{net_ldap_host};

> Graham, the current code cannot possibly work with Kerberos GSS-API SASL
> authentications.  Here's what it currently says:

>       # If we're talking to a round-robin, the canonical name of
>       # the host we are talking to might not match the name we
>       # requested
>       my $connected_name = $ldap->{net_ldap_socket}->peerhost;
>       $connected_name ||= $ldap->{net_ldap_host};

> And from IO::Socket::INET:

>     peerhost ()
>         Return the address part of the sockaddr structure for the socket on
>         the peer host in a text form xx.xx.xx.xx

> You cannot do a Kerberos SASL authentication to an IP address.  It will
> never work; Kerberos doesn't support it.  Kerberos requires a hostname.
> So setting the connected name to an IP address will always, always fail if
> you're using GSS-API authentication.

I reviewed the rest of the bug log and now I remember the rest of the
situation.  The reason why you may not have seen this in previous testing
is that apparently some versions of the MIT Kerberos library, when told to
authenticate to an IP address, will under the hood do the work that I
suggested in my proposed modification silently for you, canonicalizing the
IP address to a hostname.  But this is not part of the GSS-API library
guarantee and other GSS-API implementations, such as Heimdal, do not do
this.  Furthermore, MIT doesn't do this always; it only does this if it's
told to do DNS canonicalization.

So while a Kerberos authentication to an IP address will always fail, I
forgot that MIT Kerberos will in some cases fix up this bug for you.  It
still, however, breaks the module completely for people using Heimdal,
which is why we ran into this.  (Heimdal is a considerably faster Kerberos
implementation for LDAP under most circumstances.)

If you want to rely on the DNS canonicalization, you need to do it
directly, not assume that the GSS-API library will do it for you, since
only some of them will do that and in only some situations.

What makes this bug particularly nasty is that, with a GSS-API
implementation that doesn't do this lookup for you, there's no way to work
around the bug without surgery on the Net::LDAP module.  If you really
don't believe me that the code is incorrect as written, please at least
add some way for the caller to override the remote hostname for SASL
authentication so that at least we can work around this bug without having
to maintain a forked version of Net::LDAP.

-- 
Russ Allbery (rra at debian.org)               <http://www.eyrie.org/~eagle/>

More information about the pkg-perl-maintainers mailing list