Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 4 Sep 2003 12:49:22 -0400
From:      Tom Rhodes <trhodes@FreeBSD.org>
To:        Tillman Hodgson <tillman@seekingfire.com>
Cc:        FreeBSD-doc@FreeBSD.org
Subject:   Re: [Review Request] Kerberose 5 patch.  Version two!
Message-ID:  <20030904124922.009c69c1.trhodes@FreeBSD.org>
In-Reply-To: <20030904111531.S21559@seekingfire.com>
References:  <20030903163616.04ac91aa.trhodes@FreeBSD.org> <20030904152353.GH25063@submonkey.net> <20030904111531.S21559@seekingfire.com>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
On Thu, 4 Sep 2003 11:15:31 -0600
Tillman Hodgson <tillman@seekingfire.com> wrote:

> On Thu, Sep 04, 2003 at 04:23:53PM +0100, Ceri Davies wrote:
> > On Wed, Sep 03, 2003 at 04:36:16PM -0400, Tom Rhodes wrote:
> > > All,
> > > 
> > > Ok, after finally digging through the large amount of comments in
> > > my email, and finding some free time to actually apply them, I have
> > > produced another version.  This mixes comments from everyone who
> > > send any, and I hope this looks good.
> > 
> > Tom,
> > 
> > I forwarded this to my brother, who recently set up a Kerberos5 installation
> > (albeit on NetBSD), and he came back with the attached comments.
> > 
> > Hope they help.
> > 
> > Ceri
> 
> > 
> > * Ceri Davies <setantae@submonkey.net> [0902 14:02]:
> > 
> > Ta for that, it all looks good. I'm surprised by 3 bits though.
> > [ I assume you have the same Heimdal distro as us,if you don't
> > that would explain 2) and 3) ]
> > 
> > 1) "   For purposes of demonstrating a Kerberos installation, the various
> >    namespaces will be handled as follows:
> >      * The DNS domain (``zone'') will be example.org.
> >      * The Kerberos realm will be example.org.
> > 
> >      Note: Please use real domain names when setting up Kerberos even if
> >      you intend to run it internally. This avoids DNS problems and
> >      assures interoperation with other Kerberos realms.
> > "
> > I know it's only a convention, but I'd still put the realm name in caps.
> 
> I agree - my original draft had it in all caps. I suspect it got lost
> when the .prv TLDs were changed to .org.

I've already done this in my new diff.

> 
> > 2) "10.7.2 Setting up a Heimdal KDC
> > 
> >    Next we will set up your Kerberos config file, /etc/krb5.conf:
> > [libdefaults]
> >     default_realm = example.org
> > .
> > .
> > .
> > "
> > 
> > If you set up BIND properly, that's all you need in krb5/conf, see:
> <snip>
> 
> I can see your point. I use DNS for my own realms and it does work quite
> well.
> 
> My arguments for doing it the krb5.conf way:
> 
> * You still require a minimal krb5.conf in any case, so putting the
>   server information in there results in fewer installation steps. This
>   isn't what I do for a large production environment, but it is what
>   I'd do for a short tutorial.
> 
> * I wanted to avoid creating dependencies - the user may not want to
>   use bind.
> 
> * The DNS method tends to break kadmin if you run multiple realms off of
>   the same KDC. Explaining how to run kadmind on alternate ports is
>   beyond the scope of a Handbook chapter IMO.

Well, I have an idea on how to do this.  Something like:

<note>
  <para>When using Kerberos in a large network, and insist on using
     DNS services, then the following information could be added to
     the DNS configuration: ...

With the correct markup of course.

> 
> Would a reference to Kerberos and DNS work?
> 
> > 3) "10.7.8.2 Kerberos is intended for single-user workstations
> > 
> >    In a multi-user environment, Kerberos is less secure. This is because
> >    it stores the tickets in the /tmp directory, which is readable by all
> >    users. If a user is sharing a computer with several other people
> >    simultaneously (i.e. multi-user), it is possible that the user's
> >    tickets can be stolen (copied) by another user."
> > 
> > If the files are world-readable in /tmp then I agree,
> > but to be honest that's a bug that shouldbefixed.
> 
> It's not probably not completely fixable - whoever has root powers has
> the capability to "become" any user by using their Kerberos ticket.
> Granted, root has that power already but this extends it beyond the
> local machine. Users may not expect (or want) that.
> 

Perhaps we could recommend that /tmp have different permissions set?
Although, I have never ran a Kerberos server I do not want to just give
a set of permissions without knowing how they would affect Kerberos.

-- 
Tom Rhodes



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?20030904124922.009c69c1.trhodes>