[4816] in Kerberos

home help back first fref pref prev next nref lref last post

Using Kerberos clients where they're not officially installed.

daemon@ATHENA.MIT.EDU (Jef Poskanzer)
Wed Mar 15 20:29:15 1995

To: kerberos@MIT.EDU
Date: Thu, 16 Mar 1995 00:01:21 GMT
From: jef@netcom.com (Jef Poskanzer)
Reply-To: Jef Poskanzer <jef@netcom.com>

I'd like to use Kerberized telnet client on Netcom to get to a secure
realm elsewhere.  The Netcom sysadmins are not particularly interested
in installing stuff, so I have to use my own binaries.  No big deal, it
almost works without anything installed in a system directory.  The
major sticking point is finding the appropriate realm and KDC for the
hosts we're going to.

For the realm things look ok, mostly - the code already has a built-in
default, host foo.bar.com maps to realm BAR.COM - this works for most
hosts.  An exception is hosts such as well.com, which would generate
a default realm of COM, which is not good.  But ignore that for now.

For going from the realm to the KDC things don't look as good.  With
stock K5 we just get an error, can't open config file.  I've heard that
in Cygnus's modified version there's some code that tries to guess a KDC
name based on the host name - for host foo.bar.com it would try
kerberos.bar.com, or something like that.  Can anyone supply details?
Just what guesses does it try?  I don't have a CNS source tree handy
at the moment.

Here's an idea I had for a more general solution: look for ~/.krb_conf
and ~/.krb_realms before looking for the ones in /etc/kerberosV.  This
would handle the above-mentioned well.com case too.  Does this have any
obvious security holes?
---
Jef

       Jef Poskanzer  jef@acme.com  jef@netcom.com  jef@well.com
            ftp://ftp.netcom.com/pub/je/jef/web/jef.html
"Love is the strongest medicine. It is more powerful than electricity."
                          -- Neem Karoli Baba

home help back first fref pref prev next nref lref last post