[4989] in Kerberos

home help back first fref pref prev next nref lref last post

Re: kinit to another realm failing:, Can't send request

daemon@ATHENA.MIT.EDU (eichin@MIT.EDU)
Tue Apr 18 00:04:37 1995

Date: Mon, 17 Apr 95 23:52:57 -0400
To: bbense@spelljammer.stanford.edu (Booker C. Bense)
Cc: kerberos@MIT.EDU
In-Reply-To: "[4985] in Kerberos"
From: eichin@MIT.EDU

>> - No, you have to put them in krb.realms.......... %-( !!

No, with the Athena software it needs to be in krb.conf -- krb.realms
is only needed to "hint" to software that doesn't allow an explicit
override (rlogin, for example, has the "-k remote realm" option.)
kinit *never* uses krb.realms.

>> - If you are using Cygnus kerberos software, it attempts to guess
>> the kerberos server from the domain name. ( A potentially unsecure
>> misfeature IMHO ). You can 

Thank you for qualifying the comment as both "your opinion" and
"humble"; consider further that it is "incorrect." There is some risk
of a "denial of service" attack by getting a bogus nameserver response
and preventing the user from reaching the KDC at all -- but there are
much easier ways to do that -- after all, having the name in krb.conf
often means that you look up the name via DNS or NIS anyway. Kerberos
security is based on *cryptography* not merely naming.

>> - From my examination of the latest version of the source, I did
>> not find any equivalent for the realms file. 

We haven't bothered, because it hasn't actually been necessary. The
krb.realms file isn't actually *needed* by anything that actually gets
used...
			_Mark_ <eichin@cygnus.com>
			Cygnus Support
			Cygnus Network Security <network-security@cygnus.com>


home help back first fref pref prev next nref lref last post