[4989] in Kerberos
Re: kinit to another realm failing:, Can't send request
daemon@ATHENA.MIT.EDU (eichin@MIT.EDU)
Tue Apr 18 00:04:37 1995
Date: Mon, 17 Apr 95 23:52:57 -0400
To: bbense@spelljammer.stanford.edu (Booker C. Bense)
Cc: kerberos@MIT.EDU
In-Reply-To: "[4985] in Kerberos"
From: eichin@MIT.EDU
>> - No, you have to put them in krb.realms.......... %-( !!
No, with the Athena software it needs to be in krb.conf -- krb.realms
is only needed to "hint" to software that doesn't allow an explicit
override (rlogin, for example, has the "-k remote realm" option.)
kinit *never* uses krb.realms.
>> - If you are using Cygnus kerberos software, it attempts to guess
>> the kerberos server from the domain name. ( A potentially unsecure
>> misfeature IMHO ). You can
Thank you for qualifying the comment as both "your opinion" and
"humble"; consider further that it is "incorrect." There is some risk
of a "denial of service" attack by getting a bogus nameserver response
and preventing the user from reaching the KDC at all -- but there are
much easier ways to do that -- after all, having the name in krb.conf
often means that you look up the name via DNS or NIS anyway. Kerberos
security is based on *cryptography* not merely naming.
>> - From my examination of the latest version of the source, I did
>> not find any equivalent for the realms file.
We haven't bothered, because it hasn't actually been necessary. The
krb.realms file isn't actually *needed* by anything that actually gets
used...
_Mark_ <eichin@cygnus.com>
Cygnus Support
Cygnus Network Security <network-security@cygnus.com>