Site Navigation

Date:      Thu, 4 Sep 2003 19:28:36 +0100
From:      Ceri Davies <ceri@FreeBSD.org>
To:        Tom Rhodes <trhodes@FreeBSD.org>
Cc:        Robert Watson <rwatson@FreeBSD.org>
Subject:   Re: [Review Request]: Kerberos5 final draft
Message-ID:  <20030904182836.GJ25063@submonkey.net>
In-Reply-To: <20030904133402.06da66da.trhodes@FreeBSD.org>
References:  <20030904133402.06da66da.trhodes@FreeBSD.org>

---

next in thread | previous in thread | raw e-mail | index | archive | help

---

--kK1uqZGE6pgsGNyR
Content-Type: multipart/mixed; boundary="MsEL38XAg4rx1uDx"
Content-Disposition: inline


--MsEL38XAg4rx1uDx
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Thu, Sep 04, 2003 at 01:34:02PM -0400, Tom Rhodes wrote:
> Greetings -doc team, Robert,
>=20
> Please see the diff and give me feedback.  This has already gone
> through a good review on -doc so I'm only really waiting for Robert's
> review.  Although I want to get any final comments or "please commit's"
> now.

OK, here are my comments (the ones I posted earlier were not from me,
but posted on behalf of my brother), from a quick scan.

       servers – meaning that external entities can connect and talk

This isn't your text, but should that be —?

 +    <itemizedList>
 +      <listitem>
 +	<para>The <acronym>DNS</acronym> domain (<quote>zone</quote>)
 +	  will be EXAMPLE.ORG.</para>

The itemizedlist should be all lowercase.

 +	<para>The <application>Kerberos</application> realm will be
 +	  EXAMPLE.ORG.</para>
 +      </listitem>
 +    </itemizedList>

Ditto.

 +      <para>Please use real domain names when setting up
 +	<application>Kerberos</application> even if you intend to run
 +	it internally.  This avoids <acronym>DNS</acronym> problems
 +	and assures interoperation with other
 +	<application>Kerberos</application> realms.</para>

Now, I don't to be fussy, but above you've replaced "internetwork.." with
"inter-network", so I don't know if that should be "inter-operate" or not,
but ispell seems to think so.

 +      default_realm =3D example.org</programlisting>
 +
 +	<para>With the following lines being appended to the
 +	  <hostid role=3D"fqdn">exmple.org</hostid> zonefile:</para>
 +
 +	<programlisting>_kerberos._udp      IN  SRV     01 00 88 kerberos.exampl=
e.org.
 +_kerberos._tcp      IN  SRV     01 00 88 kerberos.example.org.

s/exmple/example/


 +	  <listitem>
 +	    <para><acronym>MIT</acronym> and Heimdal interoperate nicely.
 +	      Except for <command>kadmin</command>, the protocol for
 +	      which is not standardized.</para>
 +	  </listitem>

See above comment regarding the hyphen.


 +	      <filename>/etc/hosts</filename> as a minimum).  CNAMEs
 +	      will work, but the A and PTR records must be correct and in
 +	      place. The error message isn't very intuitive:
 +	      <errorname>KerberosV5 refuses authentication because Read req
 +	      failed: Key table entry not found</errorname>.</para>
 +	  </listitem>

You use "KerberosV5" here, but "Kerberos5" everywhere else.


 +	  <para><application>Kerberos</application> allows users, hosts
 +	    and services to authenticate between themselves.  It does not
 +	    have a mechanism to authenticate the <acronym>KDC</acronym>
 +	    to the users, hosts or services.  This means that a trojaned
 +	    <command>kinit</command> (for example) could record all user
 +	    names and passwords.  Something like
 +	    <filename role=3D"package">security/tripwire</filename> or

I think "trojaned" is normally spelled "trojanned" (but I can't be sure,
because it's not a real word).

 +	  <application>Kerberos</application> home page</ulink></para>
 +	</listitem>
 +
 +	</itemizedList>
 +
 +    </sect2>
 +  </sect1>

Capitalisation of "itemizedlist" again.


I have attached a diff against your diff containing fixes for all the above,
but feel free to not use any you don't agree with.

Ceri
--=20
User: DO YOU ACCEPT JESUS CHRIST AS YOUR PERSONAL LORD AND SAVIOR?
Iniaes: Sure, I can accept all forms of payment.
                                           -- www.chatterboxchallenge.com

--MsEL38XAg4rx1uDx
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="krb.diff"

--- trhodes.bak	Thu Sep  4 19:15:00 2003
+++ trhodes	Thu Sep  4 19:19:25 2003
@@ -77,7 +77,7 @@
 --- chapter.sgml	Thu Sep  4 13:12:30 2003
 +++ chapter.new	Thu Sep  4 13:19:05 2003
 @@ -106,7 +106,7 @@
-       servers &ndash; meaning that external entities can connect and talk
+       servers &mdash; meaning that external entities can connect and talk
        to them.  As yesterday's mini-computers and mainframes become
        today's desktops, and as computers become networked and
 -      internetworked, security becomes an even bigger issue.</para>
@@ -153,7 +153,7 @@
 +    <para>For purposes of demonstrating a <application>Kerberos</application>
 +      installation, the various namespaces will be handled as follows:</para>
 +
-+    <itemizedList>
++    <itemizedlist>
 +      <listitem>
 +	<para>The <acronym>DNS</acronym> domain (<quote>zone</quote>)
 +	  will be EXAMPLE.ORG.</para>
@@ -163,13 +163,13 @@
 +	<para>The <application>Kerberos</application> realm will be
 +	  EXAMPLE.ORG.</para>
 +      </listitem>
-+    </itemizedList>
++    </itemizedlist>
 +
 +    <note>
 +      <para>Please use real domain names when setting up
 +	<application>Kerberos</application> even if you intend to run
 +	it internally.  This avoids <acronym>DNS</acronym> problems
-+	and assures interoperation with other
++	and assures inter-operation with other
 +	<application>Kerberos</application> realms.</para>
 +    </note>
 +
@@ -273,7 +273,7 @@
 +      default_realm = example.org</programlisting>
 +
 +	<para>With the following lines being appended to the
-+	  <hostid role="fqdn">exmple.org</hostid> zonefile:</para>
++	  <hostid role="fqdn">example.org</hostid> zonefile:</para>
 +
 +	<programlisting>_kerberos._udp      IN  SRV     01 00 88 kerberos.example.org.
 +_kerberos._tcp      IN  SRV     01 00 88 kerberos.example.org.
@@ -559,7 +559,7 @@
 +	  </listitem>
 +
 +	  <listitem>
-+	    <para><acronym>MIT</acronym> and Heimdal interoperate nicely.
++	    <para><acronym>MIT</acronym> and Heimdal inter-operate nicely.
 +	      Except for <command>kadmin</command>, the protocol for
 +	      which is not standardized.</para>
 +	  </listitem>
@@ -578,7 +578,7 @@
 +	      <filename>/etc/hosts</filename> as a minimum).  CNAMEs
 +	      will work, but the A and PTR records must be correct and in
 +	      place. The error message isn't very intuitive:
-+	      <errorname>KerberosV5 refuses authentication because Read req
++	      <errorname>Kerberos5 refuses authentication because Read req
 +	      failed: Key table entry not found</errorname>.</para>
 +	  </listitem>
 +
@@ -784,7 +784,7 @@
 +	  <para><application>Kerberos</application> allows users, hosts
 +	    and services to authenticate between themselves.  It does not
 +	    have a mechanism to authenticate the <acronym>KDC</acronym>
-+	    to the users, hosts or services.  This means that a trojaned
++	    to the users, hosts or services.  This means that a trojanned
 +	    <command>kinit</command> (for example) could record all user
 +	    names and passwords.  Something like
 +	    <filename role="package">security/tripwire</filename> or
@@ -825,7 +825,7 @@
 +	  <application>Kerberos</application> home page</ulink></para>
 +	</listitem>
 +
-+	</itemizedList>
++	</itemizedlist>
 +
 +    </sect2>
 +  </sect1>

--MsEL38XAg4rx1uDx--

--kK1uqZGE6pgsGNyR
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (FreeBSD)

iD8DBQE/V4RUocfcwTS3JF8RApxSAJ9tFHRm+I7LoVS9bKC2uM+/swio6wCdGBI8
SvTrP3sHocY7YL0e9gUTYFE=
=sZkh
-----END PGP SIGNATURE-----

--kK1uqZGE6pgsGNyR--

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030904182836.GJ25063>

Legal Notices | © 1995-2024 The FreeBSD Project. All rights reserved.

Contact