Adam Megacz wrote:
> Jeffrey Altman <[EMAIL PROTECTED]> writes:
>> Also, the use of TXT records to determine which realm a service
>> belongs to is insecure and is disabled by default in MIT Kerberos.
>> You would need to explicitly enable this functionality in your
>> krb5.ini file in order to use it.
>
> ... but I'm using MIT Kerberos on all three machines (Win32, Linux,
> and MacOS). Why do I see different behavior on MacOS?
>
> I checked the krb5.ini vs krb5.conf on these machines, and the only
> material difference is that the Win32 machines have an additional line
> ("dns_lookup_kdc=true"), which I don't think would explain this.
>
> So, setting aside for a second the question of whether or not TXT
> records are secure, why am I seeing different behavior?
>
> - aIt depends on which version you are using. If you are using MIT Krb5 1.3.x or higher on any platform the TXT record search will not be performed when using any distribution from MIT. I can't speak for any patches that an operating system vendor may apply to versions they ship. Jeffrey Altman
smime.p7s
Description: S/MIME Cryptographic Signature
