(Final?) krb5.Conf Lexer/Parser Proposal
raeburn at MIT.EDU
Fri Jan 6 19:39:04 EST 2006
On Jan 6, 2006, at 17:53, Alexandra Ellwood wrote:
> Distributing it over the network seems like a bad idea since it runs
> afoul of all the same problem as exporting domain_realm information
> over insecure DNS SRV records.
That would be DNS TXT records, for the domain_realm mapping.
DNS SRV records are for realm->kdc mappings.
> And you couldn't use it for
> krb5_init_secure_context() since the information coming from that
> configuration isn't secure at all.
Actually, krb5_init_secure_context is about making setuid-type
programs safe (well, safer), by not pulling in certain information
from the environment, like the value of $KRB5_CONFIG. It has nothing
to do with whether we pull in data from DNS or other network
sources. If you don't trust such data when running setuid, you
shouldn't be trusting it by default for random users either, so you'd
turn it off via the config file, or whatever....
More information about the krbdev