Project Review: kinit -C
John Hascall
john at iastate.edu
Fri Sep 17 12:01:14 EDT 2010
-------------------------------------------------------------------------------
John Hascall, john at iastate.edu
Team Lead, NIADS (Network Infrastructure, Authentication & Directory Services)
IT Services, The Iowa State University of Science and Technology
Nicolas Williams <Nicolas.Williams at oracle.com> writes:
> On Fri, Sep 17, 2010 at 06:58:02AM -0500, John Hascall wrote:
> > I'm wondering why this would be. I'm thinking this isn't much more
> > than a config file and/or command line option a la '-i eth0' and
> > and an if-statement here or there. In fact, even in the absence of
> > multiple KDCs I would think restricting which interface you would
> > talk to might be a good thing.
> Why would that be a good thing? If it'd be inappropriate to run the KDC
> on one interface then chances are you should be doing something more
> involved to separate your network traffic anyways.
I just think that "belt AND suspenders" is a good idea.
> > > Virtualization is an easy answer here.
> > Perhaps we're paranoid, but it's not one I ever see us
> > using on something like a KDC.
> To separate realms? I do. OTOH, if you don't need it ...
No, because virtualization is just another large and complicated
piece of software which means it has bugs. There are plenty
of places where this small risk is outweighed by other advantages.
To me the KDC is not one of those places, but then, I'm a guy
who thinks a locked bezel in a locked rack in a locked cage in
a locked room might not be quite enough locks. YMMV.
John
More information about the krbdev
mailing list