[16335] in Kerberos_V5_Development
Re: Project Review: kinit -C
daemon@ATHENA.MIT.EDU (John Hascall)
Fri Sep 17 12:01:20 2010
To: Kerberos Devel list <krbdev@mit.edu>
In-reply-to: Your message of Fri, 17 Sep 2010 10:34:53 -0500.
<20100917153453.GV3982@oracle.com>
Date: Fri, 17 Sep 2010 11:01:14 CDT
Message-ID: <5479.1284739274@malison.ait.iastate.edu>
From: John Hascall <john@iastate.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
-------------------------------------------------------------------------------
John Hascall, john@iastate.edu
Team Lead, NIADS (Network Infrastructure, Authentication & Directory Services)
IT Services, The Iowa State University of Science and Technology
Nicolas Williams <Nicolas.Williams@oracle.com> writes:
> On Fri, Sep 17, 2010 at 06:58:02AM -0500, John Hascall wrote:
> > I'm wondering why this would be. I'm thinking this isn't much more
> > than a config file and/or command line option a la '-i eth0' and
> > and an if-statement here or there. In fact, even in the absence of
> > multiple KDCs I would think restricting which interface you would
> > talk to might be a good thing.
> Why would that be a good thing? If it'd be inappropriate to run the KDC
> on one interface then chances are you should be doing something more
> involved to separate your network traffic anyways.
I just think that "belt AND suspenders" is a good idea.
> > > Virtualization is an easy answer here.
> > Perhaps we're paranoid, but it's not one I ever see us
> > using on something like a KDC.
> To separate realms? I do. OTOH, if you don't need it ...
No, because virtualization is just another large and complicated
piece of software which means it has bugs. There are plenty
of places where this small risk is outweighed by other advantages.
To me the KDC is not one of those places, but then, I'm a guy
who thinks a locked bezel in a locked rack in a locked cage in
a locked room might not be quite enough locks. YMMV.
John
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
