From owner-freebsd-doc@FreeBSD.ORG Thu Sep 4 10:15:36 2003 Return-Path: Delivered-To: freebsd-doc@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D702016A4DE; Thu, 4 Sep 2003 10:15:36 -0700 (PDT) Received: from mail.seekingfire.com (coyote.seekingfire.com [24.72.10.212]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3E3A543F85; Thu, 4 Sep 2003 10:15:35 -0700 (PDT) (envelope-from tillman@seekingfire.com) Received: from blues.seekingfire.prv (blues.seekingfire.prv [192.168.23.211]) by mail.seekingfire.com (Postfix) with ESMTP id AC42CA1; Thu, 4 Sep 2003 11:15:31 -0600 (CST) Received: (from tillman@localhost) by blues.seekingfire.prv (8.11.6/8.11.6) id h84HFVd10965; Thu, 4 Sep 2003 11:15:31 -0600 Date: Thu, 4 Sep 2003 11:15:31 -0600 From: Tillman Hodgson To: FreeBSD-doc@freebsd.org Message-ID: <20030904111531.S21559@seekingfire.com> References: <20030903163616.04ac91aa.trhodes@FreeBSD.org> <20030904152353.GH25063@submonkey.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20030904152353.GH25063@submonkey.net>; from setantae@submonkey.net on Thu, Sep 04, 2003 at 04:23:53PM +0100 X-Urban-Legend: There is lots of hidden information in headers cc: Tom Rhodes Subject: Re: [Review Request] Kerberose 5 patch. Version two! X-BeenThere: freebsd-doc@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Documentation project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Sep 2003 17:15:37 -0000 On Thu, Sep 04, 2003 at 04:23:53PM +0100, Ceri Davies wrote: > On Wed, Sep 03, 2003 at 04:36:16PM -0400, Tom Rhodes wrote: > > All, > > > > Ok, after finally digging through the large amount of comments in > > my email, and finding some free time to actually apply them, I have > > produced another version. This mixes comments from everyone who > > send any, and I hope this looks good. > > Tom, > > I forwarded this to my brother, who recently set up a Kerberos5 installation > (albeit on NetBSD), and he came back with the attached comments. > > Hope they help. > > Ceri > From rasputin@idoru.mine.nu Thu Sep 04 14:52:39 2003 > Return-path: > Envelope-to: setantae@submonkey.net > Delivery-date: Thu, 04 Sep 2003 14:52:39 +0100 > Received: from shaft.techsupport.co.uk ([212.250.77.214]) > by shrike.submonkey.net with esmtp (TLSv1:DHE-RSA-AES256-SHA:256) > (Exim 4.22) > id 19uuXL-0007ah-KY > for setantae@submonkey.net; Thu, 04 Sep 2003 14:52:35 +0100 > Received: from pc2-cdif1-6-cust172.cdif.cable.ntl.com > ([80.3.231.172] helo=idoru.mine.nu ident=8136-ident-is-a-completely-pointless-protocol-that-offers-no-security-or-traceability-at-all-so-take-this-and-log-it!) > by shaft.techsupport.co.uk with esmtp (TLSv1:EDH-RSA-DES-CBC3-SHA:168) > (Exim 4.20) > id 19uuXJ-0004Al-PB > for setantae@submonkey.net; Thu, 04 Sep 2003 14:52:33 +0100 > Received: from rasputin by idoru.mine.nu with local (Exim 4.10) > id 19uuXH-0006vk-00 > for setantae@submonkey.net; Thu, 04 Sep 2003 14:52:31 +0100 > Date: Thu, 4 Sep 2003 14:52:31 +0100 > From: Rasputin > To: Ceri Davies > Subject: Re: [trhodes@FreeBSD.org: [Review Request] Kerberose 5 patch. Version two!] > Message-ID: <20030904135231.GA24693@lb.tenfour> > Reply-To: Rasputin > References: <20030904100736.GB25063@submonkey.net> <20030904121506.GA23968@lb.tenfour> <20030904122856.GC25063@submonkey.net> <20030904123147.GA18323@lb.tenfour> <20030904130235.GF25063@submonkey.net> > Mime-Version: 1.0 > Content-Type: text/plain; charset=us-ascii > Content-Disposition: inline > In-Reply-To: <20030904130235.GF25063@submonkey.net> > User-Agent: Mutt/1.4.1i > X-Spam-Status: No, hits=-8.9 required=5.0 > tests=AWL,BAYES_20,IN_REP_TO,REFERENCES,USER_AGENT_MUTT > autolearn=ham version=2.55 > X-Spam-Level: > X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp) > Status: RO > Content-Length: 2323 > Lines: 64 > > * Ceri Davies [0902 14:02]: > > Ta for that, it all looks good. I'm surprised by 3 bits though. > [ I assume you have the same Heimdal distro as us,if you don't > that would explain 2) and 3) ] > > 1) " For purposes of demonstrating a Kerberos installation, the various > namespaces will be handled as follows: > * The DNS domain (``zone'') will be example.org. > * The Kerberos realm will be example.org. > > Note: Please use real domain names when setting up Kerberos even if > you intend to run it internally. This avoids DNS problems and > assures interoperation with other Kerberos realms. > " > I know it's only a convention, but I'd still put the realm name in caps. I agree - my original draft had it in all caps. I suspect it got lost when the .prv TLDs were changed to .org. > 2) "10.7.2 Setting up a Heimdal KDC > > Next we will set up your Kerberos config file, /etc/krb5.conf: > [libdefaults] > default_realm = example.org > . > . > . > " > > If you set up BIND properly, that's all you need in krb5/conf, see: I can see your point. I use DNS for my own realms and it does work quite well. My arguments for doing it the krb5.conf way: * You still require a minimal krb5.conf in any case, so putting the server information in there results in fewer installation steps. This isn't what I do for a large production environment, but it is what I'd do for a short tutorial. * I wanted to avoid creating dependencies - the user may not want to use bind. * The DNS method tends to break kadmin if you run multiple realms off of the same KDC. Explaining how to run kadmind on alternate ports is beyond the scope of a Handbook chapter IMO. Would a reference to Kerberos and DNS work? > 3) "10.7.8.2 Kerberos is intended for single-user workstations > > In a multi-user environment, Kerberos is less secure. This is because > it stores the tickets in the /tmp directory, which is readable by all > users. If a user is sharing a computer with several other people > simultaneously (i.e. multi-user), it is possible that the user's > tickets can be stolen (copied) by another user." > > If the files are world-readable in /tmp then I agree, > but to be honest that's a bug that shouldbefixed. It's not probably not completely fixable - whoever has root powers has the capability to "become" any user by using their Kerberos ticket. Granted, root has that power already but this extends it beyond the local machine. Users may not expect (or want) that. Great comments, thanks! -T -- Some are born to Enlightenment, some achieve Enlightenment, and others have Enlightenment larted upon them. - A.S.R. quote (Greg)