Kerberos dev project for review: domain_realm mapping via KDC referral
Henry B. Hotz
hotz at jpl.nasa.gov
Tue Apr 29 12:37:21 EDT 2008
Since "host-based" is the normal situation, shouldn't the list be the
exclusions?
On Apr 28, 2008, at 9:24 PM, krbdev-request at mit.edu wrote:
> Date: Mon, 28 Apr 2008 17:34:58 -0700
> From: Russ Allbery <rra at stanford.edu>
> Subject: Re: Kerberos dev project for review: domain_realm mapping via
> KDC referral
> To: MIT Kerberos Dev List <krbdev at mit.edu>
> Message-ID: <873ap5o5vx.fsf at windlord.stanford.edu>
> Content-Type: text/plain; charset=us-ascii
>
> Ken Raeburn <raeburn at MIT.EDU> writes:
>
>> That said, I guess customers of Sun, Apple, Red Hat, etc., aren't
>> going
>> to want to recompile things to add a new name, are they? Okay, how
>> about this:
>>
>> [kdc]
>> host_based_services = foo bar
>> host_based_services = baz
>>
>> ...adds foo, bar, and baz to the compiled-in default list, and no
>> option
>> to disable or subtract from the default list. Would that be
>> sufficient?
>
> That would work for me.
>
>>> I think having a configurable list of components is better than just
>>> looking at the second component and checking whether it looks like a
>>> hostname.
>
>> You mean, be able to say that, if the first component is "fred", we
>> treat component 3 as the hostname? This is supposed to be a minimal
>> implementation -- sufficient to handle your basic host-based
>> services,
>> nothing terribly fancy. Just enough to be able to get rid of the
>> domain_realm specs in most client cases.
>
> No, rather that just because the second component is foo.example.com,
> don't assume that we should do referrals without verifying that the
> first
> part of the name is really in the host_based_services list.
>
> --
> Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/
> >
------------------------------------------------------
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at jpl.nasa.gov, or hbhotz at oxy.edu
More information about the krbdev
mailing list