(Final?) krb5.Conf Lexer/Parser Proposal

Ken Raeburn raeburn at MIT.EDU
Fri Jan 6 19:39:04 EST 2006

Some nitpicking...

On Jan 6, 2006, at 17:53, Alexandra Ellwood wrote:
> Distributing it over the network seems like a bad idea since it runs
> afoul of all the same problem as exporting domain_realm information
> over insecure DNS SRV records.

That would be DNS TXT records, for the domain_realm mapping.
DNS SRV records are for realm->kdc mappings.

>   And you couldn't use it for
> krb5_init_secure_context() since the information coming from that
> configuration isn't secure at all.

Actually, krb5_init_secure_context is about making setuid-type  
programs safe (well, safer), by not pulling in certain information  
from the environment, like the value of $KRB5_CONFIG.  It has nothing  
to do with whether we pull in data from DNS or other network  
sources.  If you don't trust such data when running setuid, you  
shouldn't be trusting it by default for random users either, so you'd  
turn it off via the config file, or whatever....


More information about the krbdev mailing list