[OpenAFS] dots in usernames

Russ Allbery rra@stanford.edu
Fri, 12 Oct 2007 13:23:01 -0700


Dave Botsch <botsch@cnf.cornell.edu> writes:

> Is it nothing more than a "if dot don't allow" or is there some
> particular reason that if is there (allowing the dot in the username
> would break something else)?

The problem is that AFS uses Kerberos v4 naming for PTS entries, and when
you convert Kerberos v5 instances to Kerberos v4, you can't tell the
difference between rra.root and rra/root.  Since that ambiguity could
potentially cause security issues if a principal with a period in it
happened to map to a privileged instance, the current code takes the
maximally conservative approach of rejecting any Kerberos v5 principal
containing a period.

There was some discussion a while back about the possible acceptable
solutions that wouldn't run the risk of introducing a security issue due
to name conflicts.

The real long-term solution, of course, is to teach PTS about Kerberos v5
principal names, but that's a reasonably large chunk of work.

-- 
Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>