Realm lookups again
Mark Phalan
Mark.Phalan at Sun.COM
Thu Oct 2 11:50:44 EDT 2008
On Thu, 2008-10-02 at 10:29 -0500, Nicolas Williams wrote:
> On Thu, Oct 02, 2008 at 11:54:03AM +0200, Mark Phalan wrote:
> > On Thu, 2008-10-02 at 02:35 -0400, Greg Hudson wrote:
> > > Here is my current thinking on the patch, based on the discussion so far:
> > >
> > > 1. The default_realm part of the patch is of limited value. It's not a
> > > safe default, which means it can't (without compromising security)
> > > accomplish the goal of making Kerberos work with zero configuration.
> > > Once there is any kind of configuration requirement, people are better
> > > off configuring the default realm.
> >
> > The security problem is that it does a lookup for each interface IP
> > address.
> > (As already mentioned by Nico) this could be replaced by looking in the
> > keytab for host's keytab entries and using the realm found there.
>
> Note that the keytab lookup can't be done at run-time. The process
> doing the lookup may not have the permission to do it.
True.
>
> So it has to be done at realm-join time. OpenSolaris has a ralm-join
> facility, but MIT krb5 does not.
But only be when joining an AD realm ?
>
> > Alternatively the local /etc/hosts database could be used to look for
> > the interface addresses - actually I understood that libresolv will look
> > into /etc/hosts before going to DNS (Nico?).
>
> Getting host info from /etc/hosts is probably not a good idea -- the
> names there may not be FQDNed, and reading only from /etc/hosts may be
> tricky to do portably.
Right.
-M
More information about the krbdev
mailing list