From owner-freebsd-doc@FreeBSD.ORG Thu Sep 4 11:28:42 2003 Return-Path: Delivered-To: freebsd-doc@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6FF0216A4BF; Thu, 4 Sep 2003 11:28:42 -0700 (PDT) Received: from shaft.techsupport.co.uk (shaft.techsupport.co.uk [212.250.77.214]) by mx1.FreeBSD.org (Postfix) with ESMTP id 91ED843FFD; Thu, 4 Sep 2003 11:28:40 -0700 (PDT) (envelope-from setantae@submonkey.net) Received: from pc3-cdif2-5-cust222.cdif.cable.ntl.com ([81.101.152.222] helo=shrike.submonkey.net ident=mailnull) by shaft.techsupport.co.uk with esmtp (TLSv1:DHE-RSA-AES256-SHA:256) (Exim 4.20) id 19uyqU-0004rC-D2; Thu, 04 Sep 2003 19:28:38 +0100 Received: from setantae by shrike.submonkey.net with local (Exim 4.22) id 19uyqS-0008US-6z; Thu, 04 Sep 2003 19:28:36 +0100 Date: Thu, 4 Sep 2003 19:28:36 +0100 From: Ceri Davies To: Tom Rhodes Message-ID: <20030904182836.GJ25063@submonkey.net> Mail-Followup-To: Ceri Davies , Tom Rhodes , FreeBSD-doc@FreeBSD.org, Robert Watson References: <20030904133402.06da66da.trhodes@FreeBSD.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="kK1uqZGE6pgsGNyR" Content-Disposition: inline In-Reply-To: <20030904133402.06da66da.trhodes@FreeBSD.org> X-PGP: finger ceri@FreeBSD.org User-Agent: Mutt/1.5.4i Sender: Ceri Davies cc: FreeBSD-doc@FreeBSD.org cc: Robert Watson Subject: Re: [Review Request]: Kerberos5 final draft X-BeenThere: freebsd-doc@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Documentation project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Sep 2003 18:28:42 -0000 --kK1uqZGE6pgsGNyR Content-Type: multipart/mixed; boundary="MsEL38XAg4rx1uDx" Content-Disposition: inline --MsEL38XAg4rx1uDx Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Sep 04, 2003 at 01:34:02PM -0400, Tom Rhodes wrote: > Greetings -doc team, Robert, >=20 > Please see the diff and give me feedback. This has already gone > through a good review on -doc so I'm only really waiting for Robert's > review. Although I want to get any final comments or "please commit's" > now. OK, here are my comments (the ones I posted earlier were not from me, but posted on behalf of my brother), from a quick scan. servers – meaning that external entities can connect and talk This isn't your text, but should that be —? + + + The DNS domain (zone) + will be EXAMPLE.ORG. The itemizedlist should be all lowercase. + The Kerberos realm will be + EXAMPLE.ORG. + + Ditto. + Please use real domain names when setting up + Kerberos even if you intend to run + it internally. This avoids DNS problems + and assures interoperation with other + Kerberos realms. Now, I don't to be fussy, but above you've replaced "internetwork.." with "inter-network", so I don't know if that should be "inter-operate" or not, but ispell seems to think so. + default_realm =3D example.org + + With the following lines being appended to the + exmple.org zonefile: + + _kerberos._udp IN SRV 01 00 88 kerberos.exampl= e.org. +_kerberos._tcp IN SRV 01 00 88 kerberos.example.org. s/exmple/example/ + + MIT and Heimdal interoperate nicely. + Except for kadmin, the protocol for + which is not standardized. + See above comment regarding the hyphen. + /etc/hosts as a minimum). CNAMEs + will work, but the A and PTR records must be correct and in + place. The error message isn't very intuitive: + KerberosV5 refuses authentication because Read req + failed: Key table entry not found. + You use "KerberosV5" here, but "Kerberos5" everywhere else. + Kerberos allows users, hosts + and services to authenticate between themselves. It does not + have a mechanism to authenticate the KDC + to the users, hosts or services. This means that a trojaned + kinit (for example) could record all user + names and passwords. Something like + security/tripwire or I think "trojaned" is normally spelled "trojanned" (but I can't be sure, because it's not a real word). + Kerberos home page + + + + + + Capitalisation of "itemizedlist" again. I have attached a diff against your diff containing fixes for all the above, but feel free to not use any you don't agree with. Ceri --=20 User: DO YOU ACCEPT JESUS CHRIST AS YOUR PERSONAL LORD AND SAVIOR? Iniaes: Sure, I can accept all forms of payment. -- www.chatterboxchallenge.com --MsEL38XAg4rx1uDx Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="krb.diff" --- trhodes.bak Thu Sep 4 19:15:00 2003 +++ trhodes Thu Sep 4 19:19:25 2003 @@ -77,7 +77,7 @@ --- chapter.sgml Thu Sep 4 13:12:30 2003 +++ chapter.new Thu Sep 4 13:19:05 2003 @@ -106,7 +106,7 @@ - servers – meaning that external entities can connect and talk + servers — meaning that external entities can connect and talk to them. As yesterday's mini-computers and mainframes become today's desktops, and as computers become networked and - internetworked, security becomes an even bigger issue. @@ -153,7 +153,7 @@ + For purposes of demonstrating a Kerberos + installation, the various namespaces will be handled as follows: + -+ ++ + + The DNS domain (zone) + will be EXAMPLE.ORG. @@ -163,13 +163,13 @@ + The Kerberos realm will be + EXAMPLE.ORG. + -+ ++ + + + Please use real domain names when setting up + Kerberos even if you intend to run + it internally. This avoids DNS problems -+ and assures interoperation with other ++ and assures inter-operation with other + Kerberos realms. + + @@ -273,7 +273,7 @@ + default_realm = example.org + + With the following lines being appended to the -+ exmple.org zonefile: ++ example.org zonefile: + + _kerberos._udp IN SRV 01 00 88 kerberos.example.org. +_kerberos._tcp IN SRV 01 00 88 kerberos.example.org. @@ -559,7 +559,7 @@ + + + -+ MIT and Heimdal interoperate nicely. ++ MIT and Heimdal inter-operate nicely. + Except for kadmin, the protocol for + which is not standardized. + @@ -578,7 +578,7 @@ + /etc/hosts as a minimum). CNAMEs + will work, but the A and PTR records must be correct and in + place. The error message isn't very intuitive: -+ KerberosV5 refuses authentication because Read req ++ Kerberos5 refuses authentication because Read req + failed: Key table entry not found. + + @@ -784,7 +784,7 @@ + Kerberos allows users, hosts + and services to authenticate between themselves. It does not + have a mechanism to authenticate the KDC -+ to the users, hosts or services. This means that a trojaned ++ to the users, hosts or services. This means that a trojanned + kinit (for example) could record all user + names and passwords. Something like + security/tripwire or @@ -825,7 +825,7 @@ + Kerberos home page + + -+ ++ + + + --MsEL38XAg4rx1uDx-- --kK1uqZGE6pgsGNyR Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (FreeBSD) iD8DBQE/V4RUocfcwTS3JF8RApxSAJ9tFHRm+I7LoVS9bKC2uM+/swio6wCdGBI8 SvTrP3sHocY7YL0e9gUTYFE= =sZkh -----END PGP SIGNATURE----- --kK1uqZGE6pgsGNyR--