Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 4 Sep 2003 16:23:53 +0100
From:      Ceri Davies <>
To:        Tom Rhodes <>
Subject:   Re: [Review Request] Kerberose 5 patch.  Version two!
Message-ID:  <>
In-Reply-To: <>
References:  <>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help

Content-Type: multipart/mixed; boundary="BEa57a89OpeoUzGD"
Content-Disposition: inline

Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Wed, Sep 03, 2003 at 04:36:16PM -0400, Tom Rhodes wrote:
> All,
> Ok, after finally digging through the large amount of comments in
> my email, and finding some free time to actually apply them, I have
> produced another version.  This mixes comments from everyone who
> send any, and I hope this looks good.


I forwarded this to my brother, who recently set up a Kerberos5 installation
(albeit on NetBSD), and he came back with the attached comments.

Hope they help.

Iniaes: Sure, I can accept all forms of payment.

Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename=rasputin
Content-Transfer-Encoding: quoted-printable

=46rom Thu Sep 04 14:52:39 2003
Return-path: <>
Delivery-date: Thu, 04 Sep 2003 14:52:39 +0100
Received: from ([])
	by with esmtp (TLSv1:DHE-RSA-AES256-SHA:256)
	(Exim 4.22)
	id 19uuXL-0007ah-KY
	for; Thu, 04 Sep 2003 14:52:35 +0100
Received: from
	([] ident=3D8136-ident-is-a-completely-po=
	by with esmtp (TLSv1:EDH-RSA-DES-CBC3-SHA:168)
	(Exim 4.20)
	id 19uuXJ-0004Al-PB
	for; Thu, 04 Sep 2003 14:52:33 +0100
Received: from rasputin by with local (Exim 4.10)
	id 19uuXH-0006vk-00
	for; Thu, 04 Sep 2003 14:52:31 +0100
Date: Thu, 4 Sep 2003 14:52:31 +0100
=46rom: Rasputin <>
To: Ceri Davies <>
Subject: Re: [ [Review Request] Kerberose 5 patch.  Ver=
sion two!]
Message-ID: <20030904135231.GA24693@lb.tenfour>
Reply-To: Rasputin <>
References: <> <20030904121506.GA23968@=
lb.tenfour> <> <20030904123147.GA18323@=
lb.tenfour> <>
Mime-Version: 1.0
Content-Type: text/plain; charset=3Dus-ascii
Content-Disposition: inline
In-Reply-To: <>
User-Agent: Mutt/1.4.1i
X-Spam-Status: No, hits=3D-8.9 required=3D5.0
	autolearn=3Dham version=3D2.55
X-Spam-Checker-Version: SpamAssassin 2.55 (
Status: RO
Content-Length: 2323
Lines: 64

* Ceri Davies <> [0902 14:02]:

Ta for that, it all looks good. I'm surprised by 3 bits though.
[ I assume you have the same Heimdal distro as us,if you don't
that would explain 2) and 3) ]

1) "   For purposes of demonstrating a Kerberos installation, the various
   namespaces will be handled as follows:
     * The DNS domain (``zone'') will be
     * The Kerberos realm will be

     Note: Please use real domain names when setting up Kerberos even if
     you intend to run it internally. This avoids DNS problems and
     assures interoperation with other Kerberos realms.
I know it's only a convention, but I'd still put the realm name in caps.

2) "10.7.2 Setting up a Heimdal KDC

   Next we will set up your Kerberos config file, /etc/krb5.conf:
    default_realm =3D

If you set up BIND properly, that's all you need in krb5/conf, see:

You just add this to the zonefile for

     _kerberos._udp      IN  SRV     01 00 88
     _kerberos._tcp      IN  SRV     01 00 88
     _kpasswd._udp       IN  SRV     01 00 464
     _kerberos-adm._tcp  IN  SRV     01 00 749
     _kerberos           IN  TXT     EXAMPLE.ORG.
 That assumes kadmind is on the same box as the KDC. Makes clients lot
easier to setup though, and means you can move the KDC around easier.

Some would say it makes spoofing easier,but they would be wrong :)
(the hostname is the conf file mean syou are dependant on DNS anyway to
hit the KDC, so you may as well make best use of it.)

3) " Kerberos is intended for single-user workstations

   In a multi-user environment, Kerberos is less secure. This is because
   it stores the tickets in the /tmp directory, which is readable by all
   users. If a user is sharing a computer with several other people
   simultaneously (i.e. multi-user), it is possible that the user's
   tickets can be stolen (copied) by another user."

If the files are world-readable in /tmp then I agree,
but to be honest that's a bug that shouldbefixed.

A bird in the hand makes it awfully hard to blow your nose.
Rasputin :: Jack of All Trades - Master of Nuns


Content-Type: application/pgp-signature
Content-Disposition: inline

Version: GnuPG v1.2.3 (FreeBSD)



Want to link to this message? Use this URL: <>