Date: Thu, 4 Sep 2003 16:23:53 +0100 From: Ceri Davies <setantae@submonkey.net> To: Tom Rhodes <trhodes@FreeBSD.org> Cc: FreeBSD-doc@FreeBSD.org Subject: Re: [Review Request] Kerberose 5 patch. Version two! Message-ID: <20030904152353.GH25063@submonkey.net> In-Reply-To: <20030903163616.04ac91aa.trhodes@FreeBSD.org> References: <20030903163616.04ac91aa.trhodes@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--x+RZeZVNR8VILNfK
Content-Type: multipart/mixed; boundary="BEa57a89OpeoUzGD"
Content-Disposition: inline
--BEa57a89OpeoUzGD
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Wed, Sep 03, 2003 at 04:36:16PM -0400, Tom Rhodes wrote:
> All,
>=20
> Ok, after finally digging through the large amount of comments in
> my email, and finding some free time to actually apply them, I have
> produced another version. This mixes comments from everyone who
> send any, and I hope this looks good.
Tom,
I forwarded this to my brother, who recently set up a Kerberos5 installation
(albeit on NetBSD), and he came back with the attached comments.
Hope they help.
Ceri
--=20
User: DO YOU ACCEPT JESUS CHRIST AS YOUR PERSONAL LORD AND SAVIOR?
Iniaes: Sure, I can accept all forms of payment.
-- www.chatterboxchallenge.com
--BEa57a89OpeoUzGD
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename=rasputin
Content-Transfer-Encoding: quoted-printable
=46rom rasputin@idoru.mine.nu Thu Sep 04 14:52:39 2003
Return-path: <rasputin@idoru.mine.nu>
Envelope-to: setantae@submonkey.net
Delivery-date: Thu, 04 Sep 2003 14:52:39 +0100
Received: from shaft.techsupport.co.uk ([212.250.77.214])
by shrike.submonkey.net with esmtp (TLSv1:DHE-RSA-AES256-SHA:256)
(Exim 4.22)
id 19uuXL-0007ah-KY
for setantae@submonkey.net; Thu, 04 Sep 2003 14:52:35 +0100
Received: from pc2-cdif1-6-cust172.cdif.cable.ntl.com
([80.3.231.172] helo=3Didoru.mine.nu ident=3D8136-ident-is-a-completely-po=
intless-protocol-that-offers-no-security-or-traceability-at-all-so-take-thi=
s-and-log-it!)
by shaft.techsupport.co.uk with esmtp (TLSv1:EDH-RSA-DES-CBC3-SHA:168)
(Exim 4.20)
id 19uuXJ-0004Al-PB
for setantae@submonkey.net; Thu, 04 Sep 2003 14:52:33 +0100
Received: from rasputin by idoru.mine.nu with local (Exim 4.10)
id 19uuXH-0006vk-00
for setantae@submonkey.net; Thu, 04 Sep 2003 14:52:31 +0100
Date: Thu, 4 Sep 2003 14:52:31 +0100
=46rom: Rasputin <rasputin@idoru.mine.nu>
To: Ceri Davies <setantae@submonkey.net>
Subject: Re: [trhodes@FreeBSD.org: [Review Request] Kerberose 5 patch. Ver=
sion two!]
Message-ID: <20030904135231.GA24693@lb.tenfour>
Reply-To: Rasputin <rasputin@idoru.mine.nu>
References: <20030904100736.GB25063@submonkey.net> <20030904121506.GA23968@=
lb.tenfour> <20030904122856.GC25063@submonkey.net> <20030904123147.GA18323@=
lb.tenfour> <20030904130235.GF25063@submonkey.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=3Dus-ascii
Content-Disposition: inline
In-Reply-To: <20030904130235.GF25063@submonkey.net>
User-Agent: Mutt/1.4.1i
X-Spam-Status: No, hits=3D-8.9 required=3D5.0
tests=3DAWL,BAYES_20,IN_REP_TO,REFERENCES,USER_AGENT_MUTT
autolearn=3Dham version=3D2.55
X-Spam-Level:=20
X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp)
Status: RO
Content-Length: 2323
Lines: 64
* Ceri Davies <setantae@submonkey.net> [0902 14:02]:
Ta for that, it all looks good. I'm surprised by 3 bits though.
[ I assume you have the same Heimdal distro as us,if you don't
that would explain 2) and 3) ]
1) " For purposes of demonstrating a Kerberos installation, the various
namespaces will be handled as follows:
* The DNS domain (``zone'') will be example.org.
* The Kerberos realm will be example.org.
Note: Please use real domain names when setting up Kerberos even if
you intend to run it internally. This avoids DNS problems and
assures interoperation with other Kerberos realms.
"
I know it's only a convention, but I'd still put the realm name in caps.
2) "10.7.2 Setting up a Heimdal KDC
Next we will set up your Kerberos config file, /etc/krb5.conf:
[libdefaults]
default_realm =3D example.org
=2E
=2E
=2E
"
If you set up BIND properly, that's all you need in krb5/conf, see:
http://www.netbsd.org/Documentation/network/#kerberos
You just add this to the zonefile for example.org:
_kerberos._udp IN SRV 01 00 88 kerberos.example.org.
_kerberos._tcp IN SRV 01 00 88 kerberos.example.org.
_kpasswd._udp IN SRV 01 00 464 kerberos.example.org.
_kerberos-adm._tcp IN SRV 01 00 749 kerberos.example.org.
_kerberos IN TXT EXAMPLE.ORG.
=20
That assumes kadmind is on the same box as the KDC. Makes clients lot
easier to setup though, and means you can move the KDC around easier.
Some would say it makes spoofing easier,but they would be wrong :)
(the hostname is the conf file mean syou are dependant on DNS anyway to
hit the KDC, so you may as well make best use of it.)
3) "10.7.8.2 Kerberos is intended for single-user workstations
In a multi-user environment, Kerberos is less secure. This is because
it stores the tickets in the /tmp directory, which is readable by all
users. If a user is sharing a computer with several other people
simultaneously (i.e. multi-user), it is possible that the user's
tickets can be stolen (copied) by another user."
If the files are world-readable in /tmp then I agree,
but to be honest that's a bug that shouldbefixed.
--=20
A bird in the hand makes it awfully hard to blow your nose.
Rasputin :: Jack of All Trades - Master of Nuns
--BEa57a89OpeoUzGD--
--x+RZeZVNR8VILNfK
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (FreeBSD)
iD8DBQE/V1kJocfcwTS3JF8RAlfUAJ0SI94euxwrGSKHXWJn8vy4eTKt2ACfbdXy
EoW0ItGmcVWNNIz5r3iRMM8=
=rnk3
-----END PGP SIGNATURE-----
--x+RZeZVNR8VILNfK--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030904152353.GH25063>