1N/A/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ * Copyright 1990,1991,2002,2008,2009 by the Massachusetts Institute of Technology. * Export of this software from the United States of America may * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright * notice appear in all copies and that both that copyright notice and * this permission notice appear in supporting documentation, and that * the name of M.I.T. not be used in advertising or publicity pertaining * to distribution of the software without specific, written prior * permission. Furthermore if you modify this software you must label * your software as modified software and not distribute it in such a * fashion that it might be confused with the original M.I.T. software. * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * krb5_get_fallback_host_realm() * krb5int_clean_hostname() * Copyright (c) 2007, 2012, Oracle and/or its affiliates. All rights reserved. Figures out the Kerberos realm names for host, filling in a pointer to an argv[] style list of names, terminated with a null pointer. If host is NULL, the local host's realms are determined. If there are no known realms for the host, the filled-in pointer is set The pointer array and strings pointed to are all in allocated storage, and should be freed by the caller when finished. * this implementation only provides one realm per host, using the same * mapping file used in kerberos v4. * Given a fully-qualified domain-style primary host name, * return the name of the Kerberos realm for the host. * If the hostname contains no discernable domain, or an error occurs, * return the local realm name, as supplied by krb5_get_default_realm(). * If the hostname contains a domain, but no translation is found, * the hostname's domain is converted to upper-case and returned. * The format of each line of the translation file is: * domain_name kerberos_realm * host_name kerberos_realm * domain_name should be of the form .XXX.YYY (e.g. .LCS.MIT.EDU) * host names should be in the usual form (e.g. FOO.BAR.BAZ) #
endif /* KRB5_DNS_LOOKUP *//* Get the local host name, try to make it fully-qualified. Always return a null-terminated string. Might return an error if gethostname fails. */ Search for the best match for the host or domain. Example: Given a host a.b.c.d, try to match on: printf(
" trying to look up %s in the domain_realm map\n",
cp);
/* Setup for another test */ printf(
" done searching the domain_realm map\n");
* Ganked from krb5_get_host_realm; handles determining a fallback realm * to try in the case where referrals have failed and it's time to go * look at TXT records or make a DNS-based assumption. /* Convert what we hope is a hostname to a string. */ printf(
"get_fallback_host_realm(host >%s<) called\n",
host);
* Try looking up a _kerberos.<hostname> TXT record in DNS. This * heuristic is turned off by default since, in the absence of * secure DNS, it can allow an attacker to control the realm used #
endif /* KRB5_DNS_LOOKUP */ * Next try searching the domain components as realms. This * heuristic is also turned off by default. If DNS lookups for * KDCs are enabled (as they are by default), an attacker could * control which domain component is used as the realm for a host. * The next fallback--and the first one to apply with default * configuration--is to use the upper-cased parent domain of the * hostname, regardless of whether we can actually look it up as a * The final fallback--used when the fully-qualified hostname has * only one component--is to use the local default realm. * Common code for krb5_get_host_realm and krb5_get_fallback_host_realm * to do basic sanity checks on supplied hostname. /* Filter out numeric addresses if the caller utterly failed to convert them to names. */ /* IPv4 - dotted quads only */ /* All numbers and dots... if it's three dots, it's an IP address, and we reject it. But "12345" could be a local hostname, couldn't it? We'll just assume that a name with three dots is not meant to be an all-numeric hostname three all-numeric domains down from the current domain. */ /* IPv6 numeric address form? Bye bye. */ /* Should probably error out if strlen(host) > MAXDNAME. */ /* strip off trailing dot */ * Copyright 2008 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. * Walk through the components of a domain. At each stage determine * if a KDC can be located for that domain. Return a realm * corresponding to the upper-cased domain name for which a KDC was * found or NULL if no KDC was found. Stop searching after limit * labels have been removed from the domain (-1 means don't search at * all, 0 means try only the full domain itself, 1 means also try the * parent domain, etc.) or when we reach a parent with only one label. /* Upper case the domain (for use as a realm) */ /* Search up to limit parents, as long as we have multiple labels. */ /* Find a kdc based on this part of the domain name. */ if (!r) {
/* Found a KDC! */ * Frees the storage taken by a realm list returned by krb5_get_host_realm. /* same format, so why duplicate code? */