Turning off hostname canonicalisation

Jeffrey Altman jaltman at MIT.EDU
Mon Sep 12 19:47:46 EDT 2005


[appdefaults] was originally added because some sites did not want
to have "Program, local preferences config" file that they needed
to distribute and maintain.  The notion was "we are already distributing
krb5.conf, why should we have to distribute a separate file for each

The problem is that this doesn't scale.  Not from a standards
perspective or from an application perspective.   The krb5.conf file
must be specific to the Kerberos library.  There is no Kerberos
standards group to assign the name space to application vendors,
nor is there any method of ensuring that all applications will use
the values the same way.   Plus our goal from a Kerberos implementation
perspective is that we want to get rid of the config file entire
when there is a secure alternative available.

Today, applications have their own configuration files.   That is where
their Kerberos configuration information should be stored.

Jeffrey Altman

Henry B. Hotz wrote:
> Clearly, I've opened a can of worms.  *sigh*  The universe should be 
> simpler than this.
> In an ideal world, where all the possibilities exist I think the 
> priority for an option setting should be:
> Program, hard-coded
> Program, local preferences config
> [appdefaults] program={REALM={...}}
> [appdefaults] program={...}
> [appdefaults] REALM={...}
> [appdefaults] ...
> [libdefaults] REALM={...}
> [libdefaults] ...
> library, hard-coded
> Of course if all the [appdefaults] possibilities exist, then the 
> [libdefaults] possibilities are redundant, provided it's well-known and 
> consistent that the option isn't in [libdefaults].  Ticket renew 
> lifetime comes to mind as an issue.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 2707 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mailman.mit.edu/pipermail/krbdev/attachments/20050912/6e2c7db9/attachment.bin

More information about the krbdev mailing list