Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 4 Sep 2003 11:15:31 -0600
From:      Tillman Hodgson <tillman@seekingfire.com>
To:        FreeBSD-doc@freebsd.org
Cc:        Tom Rhodes <trhodes@freebsd.org>
Subject:   Re: [Review Request] Kerberose 5 patch.  Version two!
Message-ID:  <20030904111531.S21559@seekingfire.com>
In-Reply-To: <20030904152353.GH25063@submonkey.net>; from setantae@submonkey.net on Thu, Sep 04, 2003 at 04:23:53PM +0100
References:  <20030903163616.04ac91aa.trhodes@FreeBSD.org> <20030904152353.GH25063@submonkey.net>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
On Thu, Sep 04, 2003 at 04:23:53PM +0100, Ceri Davies wrote:
> On Wed, Sep 03, 2003 at 04:36:16PM -0400, Tom Rhodes wrote:
> > All,
> > 
> > Ok, after finally digging through the large amount of comments in
> > my email, and finding some free time to actually apply them, I have
> > produced another version.  This mixes comments from everyone who
> > send any, and I hope this looks good.
> 
> Tom,
> 
> I forwarded this to my brother, who recently set up a Kerberos5 installation
> (albeit on NetBSD), and he came back with the attached comments.
> 
> Hope they help.
> 
> Ceri

> From rasputin@idoru.mine.nu Thu Sep 04 14:52:39 2003
> Return-path: <rasputin@idoru.mine.nu>
> Envelope-to: setantae@submonkey.net
> Delivery-date: Thu, 04 Sep 2003 14:52:39 +0100
> Received: from shaft.techsupport.co.uk ([212.250.77.214])
> 	by shrike.submonkey.net with esmtp (TLSv1:DHE-RSA-AES256-SHA:256)
> 	(Exim 4.22)
> 	id 19uuXL-0007ah-KY
> 	for setantae@submonkey.net; Thu, 04 Sep 2003 14:52:35 +0100
> Received: from pc2-cdif1-6-cust172.cdif.cable.ntl.com
> 	([80.3.231.172] helo=idoru.mine.nu ident=8136-ident-is-a-completely-pointless-protocol-that-offers-no-security-or-traceability-at-all-so-take-this-and-log-it!)
> 	by shaft.techsupport.co.uk with esmtp (TLSv1:EDH-RSA-DES-CBC3-SHA:168)
> 	(Exim 4.20)
> 	id 19uuXJ-0004Al-PB
> 	for setantae@submonkey.net; Thu, 04 Sep 2003 14:52:33 +0100
> Received: from rasputin by idoru.mine.nu with local (Exim 4.10)
> 	id 19uuXH-0006vk-00
> 	for setantae@submonkey.net; Thu, 04 Sep 2003 14:52:31 +0100
> Date: Thu, 4 Sep 2003 14:52:31 +0100
> From: Rasputin <rasputin@idoru.mine.nu>
> To: Ceri Davies <setantae@submonkey.net>
> Subject: Re: [trhodes@FreeBSD.org: [Review Request] Kerberose 5 patch.  Version two!]
> Message-ID: <20030904135231.GA24693@lb.tenfour>
> Reply-To: Rasputin <rasputin@idoru.mine.nu>
> References: <20030904100736.GB25063@submonkey.net> <20030904121506.GA23968@lb.tenfour> <20030904122856.GC25063@submonkey.net> <20030904123147.GA18323@lb.tenfour> <20030904130235.GF25063@submonkey.net>
> Mime-Version: 1.0
> Content-Type: text/plain; charset=us-ascii
> Content-Disposition: inline
> In-Reply-To: <20030904130235.GF25063@submonkey.net>
> User-Agent: Mutt/1.4.1i
> X-Spam-Status: No, hits=-8.9 required=5.0
> 	tests=AWL,BAYES_20,IN_REP_TO,REFERENCES,USER_AGENT_MUTT
> 	autolearn=ham version=2.55
> X-Spam-Level: 
> X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp)
> Status: RO
> Content-Length: 2323
> Lines: 64
> 
> * Ceri Davies <setantae@submonkey.net> [0902 14:02]:
> 
> Ta for that, it all looks good. I'm surprised by 3 bits though.
> [ I assume you have the same Heimdal distro as us,if you don't
> that would explain 2) and 3) ]
> 
> 1) "   For purposes of demonstrating a Kerberos installation, the various
>    namespaces will be handled as follows:
>      * The DNS domain (``zone'') will be example.org.
>      * The Kerberos realm will be example.org.
> 
>      Note: Please use real domain names when setting up Kerberos even if
>      you intend to run it internally. This avoids DNS problems and
>      assures interoperation with other Kerberos realms.
> "
> I know it's only a convention, but I'd still put the realm name in caps.

I agree - my original draft had it in all caps. I suspect it got lost
when the .prv TLDs were changed to .org.

> 2) "10.7.2 Setting up a Heimdal KDC
> 
>    Next we will set up your Kerberos config file, /etc/krb5.conf:
> [libdefaults]
>     default_realm = example.org
> .
> .
> .
> "
> 
> If you set up BIND properly, that's all you need in krb5/conf, see:
<snip>

I can see your point. I use DNS for my own realms and it does work quite
well.

My arguments for doing it the krb5.conf way:

* You still require a minimal krb5.conf in any case, so putting the
  server information in there results in fewer installation steps. This
  isn't what I do for a large production environment, but it is what
  I'd do for a short tutorial.

* I wanted to avoid creating dependencies - the user may not want to
  use bind.

* The DNS method tends to break kadmin if you run multiple realms off of
  the same KDC. Explaining how to run kadmind on alternate ports is
  beyond the scope of a Handbook chapter IMO.

Would a reference to Kerberos and DNS work?

> 3) "10.7.8.2 Kerberos is intended for single-user workstations
> 
>    In a multi-user environment, Kerberos is less secure. This is because
>    it stores the tickets in the /tmp directory, which is readable by all
>    users. If a user is sharing a computer with several other people
>    simultaneously (i.e. multi-user), it is possible that the user's
>    tickets can be stolen (copied) by another user."
> 
> If the files are world-readable in /tmp then I agree,
> but to be honest that's a bug that shouldbefixed.

It's not probably not completely fixable - whoever has root powers has
the capability to "become" any user by using their Kerberos ticket.
Granted, root has that power already but this extends it beyond the
local machine. Users may not expect (or want) that.

Great comments, thanks!

-T


-- 
Some are born to Enlightenment, some achieve Enlightenment, and others
have Enlightenment larted upon them.
    - A.S.R. quote (Greg)



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?20030904111531.S21559>