Bug#629867: krb5: Please enable DNS realm lookups in configure
On 11-06-10 16:38, Sam Hartman hartm...@debian.org wrote: One significant issue I have is that I believe with the dns-based option, the less secure DNS-based approach is preferred to the referrals. Automating the process of populating the referrals data on the KDCs would give you a much more secure result. Yes, after giving it some thought, I agree with you there. There's a lot to be said for having all code paths enabled (and I thought the upstream default was already to turn this on but to disable by default in the config file), but there's also a lot to be said for strongly discouraging the DNS-based approach because its security properties are very bad. There seem to be good arguments for and against the proposition. I'm not quite sure which way I would decide, were I in your place. Ciao, Alexander Wuerstlein. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#629867: krb5: Please enable DNS realm lookups in configure
One significant issue I have is that I believe with the dns-based option, the less secure DNS-based approach is preferred to the referrals. Automating the process of populating the referrals data on the KDCs would give you a much more secure result. There's a lot to be said for having all code paths enabled (and I thought the upstream default was already to turn this on but to disable by default in the config file), but there's also a lot to be said for strongly discouraging the DNS-based approach because its security properties are very bad. --Sam -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#629867: krb5: Please enable DNS realm lookups in configure
Hi. Current KDCs actually support a better option than DNS-based referrals. A KDC can issue a referral indicating what realm a host lives in. The MIT and microsoft KDCs definitely support this. I believe this was added to MIt in 1.8 or possible 1.7; Microsoft has always had it. The client support has been there since 1.6 or earlier. Is the DNS-based solution still better in your environment? If so, why? -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#629867: krb5: Please enable DNS realm lookups in configure
On 11-06-09 20:16, Sam Hartman hartm...@debian.org wrote: Hi. Current KDCs actually support a better option than DNS-based referrals. A KDC can issue a referral indicating what realm a host lives in. The MIT and microsoft KDCs definitely support this. I believe this was added to MIt in 1.8 or possible 1.7; Microsoft has always had it. The client support has been there since 1.6 or earlier. Is the DNS-based solution still better in your environment? Yes. If so, why? DNS is managed by the (independent) administrator of each realm, each new host entered there would be tagged by the responsible administrator with the appropriate realm via a _kerberos IN TXT entry. Each host needs to be tagged because administrative domains and Kerberos realms are not in sync with DNS (sub)domains and delegations for a lot of reasons I don't want to go into. Referrals on the other hand would have to be kept in sync on all realms' KDCs manually. Each new host would need to be entered into DNS as well as into each KDC configuration. Since DNS subdomains are not congruent with kerberos realms, the configuration would need to name each host specifically and assign it to a realm. While that could be automated with some effort, it would essentially duplicate what DNS does anyways. At least that is what I understood from the limited documentation available on the subject, I could very well be totally wrong and I would appreciate any advice. In our case the (not yet implemented) scenario would look something like this: A number of important host-realm associations would be configured on each KDC, so that those can be discovered via referrals. Those would also be kept in sync as far as possible across the various realms. At the same time, new hosts and services that are created would automatically work since the hostname in DNS is available at the same time as its realm association. The more secure and stable association via the KDC config can then be added later. Ciao, Alexander Wuerstlein. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#629867: krb5: Please enable DNS realm lookups in configure
Package: krb5 Severity: wishlist Please enable DNS realm lookups in the call to ./configure (--enable-dns-for-realm). This enables lookups of the realm a host belongs to via _kerberos.host IN TXT records. Doing so would enable easier and more consistent configuration in complex environments since DNS would replace a hard-to-maintain domain_realm section in krb5.conf. There are some security implications to this (see the paragraph 'dns_lookup_realm' on the corresponding configuration option in http://web.mit.edu/Kerberos/krb5-1.9/krb5-1.9.1/doc/krb5-admin.html#libdefaults). Since both, the compilation option and the configuration option must be enabled and the default for the configuration option is false/off I think those security problems from enabling the compilation option are neglegible. -- System Information: Debian Release: 6.0.1 APT prefers stable APT policy: (1050, 'stable'), (500, 'stable') Architecture: i386 (x86_64) Kernel: Linux 2.6.32.27 (SMP w/16 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org