[4826] in Kerberos
Re: Using Kerberos clients where they're not officially installed.
daemon@ATHENA.MIT.EDU (eichin@cygnus.com)
Thu Mar 16 13:30:55 1995
Date: Thu, 16 Mar 95 13:20:42 -0500
To: jef@netcom.com (Jef Poskanzer)
Cc: kerberos@MIT.EDU
In-Reply-To: "[4816] in Kerberos"
From: eichin@cygnus.com
> in Cygnus's modified version there's some code that tries to guess a KDC
> name based on the host name - for host foo.bar.com it would try
> kerberos.bar.com, or something like that. Can anyone supply details?
1) The net release of CNS is V4, not V5; for more details, check out
the web site.
2) The code guesses that for host foo.bar.com it is in realm BAR.COM
(except that bar.com is also assumed to be BAR.COM, it just chops off
the name.) *seperate* from that (after all, you can always use -k to
specify the realm name, it doesn't need to guess) if it can't find a
KDC for BAR.COM, it guesses that kerberos.BAR.COM is one. (An earlier
version of the code would only do this if it couldn't find krb.conf,
but now it does it if it couldn't find the realm in krb.conf.)
> Here's an idea I had for a more general solution: look for ~/.krb_conf
> and ~/.krb_realms before looking for the ones in /etc/kerberosV. This
Actually, we made it look in ${KRB_CONF} since there really isn't a
security issue at hand (even if there were, the names are looked up in
DNS already, which is "nearly" as weak...)
As for V5, Ted is designing a wonderful new config file mechanism that
will take care of the above problems and bring peace in the middle
east. (Oops, that's done already, nevermind :-)
I hope this helps...
_Mark_ <eichin@cygnus.com>
Cygnus Support, East Coast