(Final?) krb5.Conf Lexer/Parser Proposal

Alexandra Ellwood lxs at MIT.EDU
Fri Jan 6 20:11:37 EST 2006

On Jan 6, 2006, at 7:39 PM, Ken Raeburn wrote:

> Some nitpicking...
> On Jan 6, 2006, at 17:53, Alexandra Ellwood wrote:
>> Distributing it over the network seems like a bad idea since it runs
>> afoul of all the same problem as exporting domain_realm information
>> over insecure DNS SRV records.
> That would be DNS TXT records, for the domain_realm mapping.
> DNS SRV records are for realm->kdc mappings.

My bad.  While editing I combined two sentences into one and got the  
wrong halves.  Whoops.  ;-)

>>   And you couldn't use it for
>> krb5_init_secure_context() since the information coming from that
>> configuration isn't secure at all.
> Actually, krb5_init_secure_context is about making setuid-type  
> programs safe (well, safer), by not pulling in certain information  
> from the environment, like the value of $KRB5_CONFIG.  It has  
> nothing to do with whether we pull in data from DNS or other  
> network sources.  If you don't trust such data when running setuid,  
> you shouldn't be trusting it by default for random users either, so  
> you'd turn it off via the config file, or whatever....

With the existence of the '*' operator, a user-editable config file  
gives the user the same powers that setting $KRB5_CONFIG does because  
they can override arbitrary sections of the system configuration.  As  
a result on Mac OS X we modify the secure context search paths to  
only include the system configuration files, not the user one.

However, you're right that krb5_init_secure_context() isn't terribly  


Alexandra Ellwood <lxs at mit.edu>
MIT Kerberos Development Team

More information about the krbdev mailing list