[Review Request] Kerberose 5 patch. Version two!

Ceri Davies setantae at submonkey.net
Thu Sep 4 15:23:58 UTC 2003 

On Wed, Sep 03, 2003 at 04:36:16PM -0400, Tom Rhodes wrote:
> All,
> 
> Ok, after finally digging through the large amount of comments in
> my email, and finding some free time to actually apply them, I have
> produced another version.  This mixes comments from everyone who
> send any, and I hope this looks good.

Tom,

I forwarded this to my brother, who recently set up a Kerberos5 installation
(albeit on NetBSD), and he came back with the attached comments.

Hope they help.

Ceri
-- 
User: DO YOU ACCEPT JESUS CHRIST AS YOUR PERSONAL LORD AND SAVIOR?
Iniaes: Sure, I can accept all forms of payment.
                                           -- www.chatterboxchallenge.com
-------------- next part --------------
From rasputin at idoru.mine.nu Thu Sep 04 14:52:39 2003
Return-path: <rasputin at idoru.mine.nu>
Envelope-to: setantae at submonkey.net
Delivery-date: Thu, 04 Sep 2003 14:52:39 +0100
Received: from shaft.techsupport.co.uk ([212.250.77.214])
	by shrike.submonkey.net with esmtp (TLSv1:DHE-RSA-AES256-SHA:256)
	(Exim 4.22)
	id 19uuXL-0007ah-KY
	for setantae at submonkey.net; Thu, 04 Sep 2003 14:52:35 +0100
Received: from pc2-cdif1-6-cust172.cdif.cable.ntl.com
	([80.3.231.172] helo=idoru.mine.nu ident=8136-ident-is-a-completely-pointless-protocol-that-offers-no-security-or-traceability-at-all-so-take-this-and-log-it!)
	by shaft.techsupport.co.uk with esmtp (TLSv1:EDH-RSA-DES-CBC3-SHA:168)
	(Exim 4.20)
	id 19uuXJ-0004Al-PB
	for setantae at submonkey.net; Thu, 04 Sep 2003 14:52:33 +0100
Received: from rasputin by idoru.mine.nu with local (Exim 4.10)
	id 19uuXH-0006vk-00
	for setantae at submonkey.net; Thu, 04 Sep 2003 14:52:31 +0100
Date: Thu, 4 Sep 2003 14:52:31 +0100
From: Rasputin <rasputin at idoru.mine.nu>
To: Ceri Davies <setantae at submonkey.net>
Subject: Re: [trhodes at FreeBSD.org: [Review Request] Kerberose 5 patch.  Version two!]
Message-ID: <20030904135231.GA24693 at lb.tenfour>
Reply-To: Rasputin <rasputin at idoru.mine.nu>
References: <20030904100736.GB25063 at submonkey.net> <20030904121506.GA23968 at lb.tenfour> <20030904122856.GC25063 at submonkey.net> <20030904123147.GA18323 at lb.tenfour> <20030904130235.GF25063 at submonkey.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20030904130235.GF25063 at submonkey.net>
User-Agent: Mutt/1.4.1i
X-Spam-Status: No, hits=-8.9 required=5.0
	tests=AWL,BAYES_20,IN_REP_TO,REFERENCES,USER_AGENT_MUTT
	autolearn=ham version=2.55
X-Spam-Level: 
X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp)
Status: RO
Content-Length: 2323
Lines: 64

* Ceri Davies <setantae at submonkey.net> [0902 14:02]:

Ta for that, it all looks good. I'm surprised by 3 bits though.
[ I assume you have the same Heimdal distro as us,if you don't
that would explain 2) and 3) ]

1) "   For purposes of demonstrating a Kerberos installation, the various
   namespaces will be handled as follows:
     * The DNS domain (``zone'') will be example.org.
     * The Kerberos realm will be example.org.

     Note: Please use real domain names when setting up Kerberos even if
     you intend to run it internally. This avoids DNS problems and
     assures interoperation with other Kerberos realms.
"
I know it's only a convention, but I'd still put the realm name in caps.


2) "10.7.2 Setting up a Heimdal KDC

   Next we will set up your Kerberos config file, /etc/krb5.conf:
[libdefaults]
    default_realm = example.org
.
.
.
"

If you set up BIND properly, that's all you need in krb5/conf, see:

http://www.netbsd.org/Documentation/network/#kerberos

You just add this to the zonefile for example.org:


     _kerberos._udp      IN  SRV     01 00 88 kerberos.example.org.
     _kerberos._tcp      IN  SRV     01 00 88 kerberos.example.org.
     _kpasswd._udp       IN  SRV     01 00 464 kerberos.example.org.
     _kerberos-adm._tcp  IN  SRV     01 00 749 kerberos.example.org.
     _kerberos           IN  TXT     EXAMPLE.ORG.
     
 That assumes kadmind is on the same box as the KDC. Makes clients lot
easier to setup though, and means you can move the KDC around easier.

Some would say it makes spoofing easier,but they would be wrong :)
(the hostname is the conf file mean syou are dependant on DNS anyway to
hit the KDC, so you may as well make best use of it.)


3) "10.7.8.2 Kerberos is intended for single-user workstations

   In a multi-user environment, Kerberos is less secure. This is because
   it stores the tickets in the /tmp directory, which is readable by all
   users. If a user is sharing a computer with several other people
   simultaneously (i.e. multi-user), it is possible that the user's
   tickets can be stolen (copied) by another user."

If the files are world-readable in /tmp then I agree,
but to be honest that's a bug that shouldbefixed.


-- 
A bird in the hand makes it awfully hard to blow your nose.
Rasputin :: Jack of All Trades - Master of Nuns

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-doc/attachments/20030904/4fd17eb0/attachment.sig>

More information about the freebsd-doc mailing list