Return-Path: X-Original-To: apmail-hadoop-common-issues-archive@minotaur.apache.org Delivered-To: apmail-hadoop-common-issues-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 553F1DAEF for ; Wed, 27 Jun 2012 18:12:45 +0000 (UTC) Received: (qmail 99470 invoked by uid 500); 27 Jun 2012 18:12:45 -0000 Delivered-To: apmail-hadoop-common-issues-archive@hadoop.apache.org Received: (qmail 99445 invoked by uid 500); 27 Jun 2012 18:12:45 -0000 Mailing-List: contact common-issues-help@hadoop.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: common-issues@hadoop.apache.org Delivered-To: mailing list common-issues@hadoop.apache.org Received: (qmail 99436 invoked by uid 99); 27 Jun 2012 18:12:44 -0000 Received: from issues-vm.apache.org (HELO issues-vm) (140.211.11.160) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 27 Jun 2012 18:12:44 +0000 Received: from isssues-vm.apache.org (localhost [127.0.0.1]) by issues-vm (Postfix) with ESMTP id 6AE46142840 for ; Wed, 27 Jun 2012 18:12:44 +0000 (UTC) Date: Wed, 27 Jun 2012 18:12:44 +0000 (UTC) From: "Alejandro Abdelnur (JIRA)" To: common-issues@hadoop.apache.org Message-ID: <245157296.63016.1340820764439.JavaMail.jiratomcat@issues-vm> In-Reply-To: <227073204.34630.1340211763270.JavaMail.jiratomcat@issues-vm> Subject: [jira] [Commented] (HADOOP-8518) SPNEGO client side should use KerberosName rules MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/HADOOP-8518?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13402427#comment-13402427 ] Alejandro Abdelnur commented on HADOOP-8518: -------------------------------------------- @Daryn, regarding the server sending the hostname in a header, that is not part of the SPNEGO protocol. And it could be a security vulnerability, it would enable a MiM attack. Plus, the client has to dictate what is the server principal as we are enforcing dual authentication. > SPNEGO client side should use KerberosName rules > ------------------------------------------------ > > Key: HADOOP-8518 > URL: https://issues.apache.org/jira/browse/HADOOP-8518 > Project: Hadoop Common > Issue Type: Improvement > Components: security > Affects Versions: 1.0.3, 2.0.0-alpha > Reporter: Alejandro Abdelnur > Assignee: Alejandro Abdelnur > Fix For: 1.1.0, 2.0.1-alpha > > > currently KerberosName is used only on the server side to resolve the client name, we should use it on the client side as well to resolve the server name before getting the kerberos ticket. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira