[591] in Kerberos_V5_Development
Re: Static configuration files
bjaspan@ATHENA.MIT.EDU (bjaspan@ATHENA.MIT.EDU)
Wed Jan 30 13:14:56 1991
Well, okay, I guess I should anticipate some of the obvious responses.
(1) Spoofing. No problem --- the initial tgt comes from the kerberos
server specified in the local config files and the rest of the
requests could be authenticated (privacy obviously wouldn't be
necessary).
(2) Efficiency. Named-style caching would be really nice here. (I
guess "authenticated nameservice" is a phrase I've used before, and I
also don't understand why it is such a difficulty so long as the basic
bootstrap information is available locally.) Given the simplicity of
the data, however, a basic file-based cache (/usr/tmp/.krbinfo.cache)
could be implemented with little difficulty.
(3) Reliability. Not really a problem. If you can't get to the
kerberos server or any slave to get a realm->server mapping, you're
hosed anyway and probably won't be able to use kerberos at all.
