Danny Mayer <[EMAIL PROTECTED]> writes:
> Jeffrey Altman wrote:
>> There are several issues here. First, DNS TXT records are known to be
>> insecure. Turning them on for use in realm resolution provides for
>> convenience but at the risk that your clients can be redirected to a
>> realm that you
Jeffrey Altman wrote:
> Jos Backus wrote:
>> On Fri, Jun 27, 2008 at 12:52:49AM -0400, Jeffrey Altman wrote:
>>> This behavior was most likely broken when the referrals code was added.
>>
>> So it's a regression. Until this is fixed properly (which I don't
>> claim my
>> patch does :-) ) I'm poss
>
>> Do we have information on which clients support referrals ?
>
> Current Microsoft and MIT clients do, I wouldn't be surprised if
> Heimdal does as well.
heimdal supports client, server (both cross realm referals and server
name) in both the client library and the KDC.
Love
__
On Jun 27, 2008, at 11:51, Simo Sorce wrote:
> Thanks, the explanation there makes a lot of sense, but reading
> through
> the lines it probably would not affect the original poster security,
> because the "insecurity" of the TXT record is exploitable only in
> case a
> trusted realm is comprom
Simo Sorce wrote:
Uhmm perhaps we are thinking of two different things, once you control
DNS you control both direct and reverse address resolution.
Hence the reason that reverse DNS lookups are not to be used as per the
Security Considerations
of RFC 4120.
Jeffrey Altman
smime.p7s
Descri
On Fri, Jun 27, 2008 at 08:37:23AM -0400, Jeffrey Altman wrote:
> > That's something my patch changes as it performs the DNS lookup first (when
> > configured).
> Which in turn would disable Kerberos referrals.
Good to know. If referrals solve my problem, I'll set that up.
> There is a serious
On Fri, 2008-06-27 at 11:31 -0400, Jeffrey Altman wrote:
> Simo Sorce wrote:
> >> There are several issues here. First, DNS TXT records are known to be
> >> insecure.
> >
> > Jeff,
> > this statements is interesting, how are TXT records "insecure" ?
> I will refer you to the security consideratio
Simo Sorce wrote:
There are several issues here. First, DNS TXT records are known to be
insecure.
Jeff,
this statements is interesting, how are TXT records "insecure" ?
I will refer you to the security considerations section of the internet
draft. Note that
the insecurity is one reason that
On Jun 27, 2008, at 11:17, Simo Sorce wrote:
> this statements is interesting, how are TXT records "insecure" ?
If a forged TXT RR is received, the client may be told the server is
in a different realm. That realm may have been compromised by an
attacker, and cross-realm authentication to it
On Fri, 2008-06-27 at 01:57 -0400, Jeffrey Altman wrote:
> Jos Backus wrote:
> > On Fri, Jun 27, 2008 at 12:52:49AM -0400, Jeffrey Altman wrote:
> >> This behavior was most likely broken when the referrals code was added.
> >
> > So it's a regression. Until this is fixed properly (which I don't cl
Jos Backus wrote:
On Fri, Jun 27, 2008 at 01:57:37AM -0400, Jeffrey Altman wrote:
There are several issues here. First, DNS TXT records are known to be
insecure. Turning
them on for use in realm resolution provides for convenience but at the
risk that your clients
can be redirected to a real
On Fri, Jun 27, 2008 at 01:57:37AM -0400, Jeffrey Altman wrote:
> There are several issues here. First, DNS TXT records are known to be
> insecure. Turning
> them on for use in realm resolution provides for convenience but at the
> risk that your clients
> can be redirected to a realm that you
Jos Backus wrote:
On Fri, Jun 27, 2008 at 12:52:49AM -0400, Jeffrey Altman wrote:
This behavior was most likely broken when the referrals code was added.
So it's a regression. Until this is fixed properly (which I don't claim my
patch does :-) ) I'm possibly need of a workaround. Do you see an
On Fri, Jun 27, 2008 at 12:52:49AM -0400, Jeffrey Altman wrote:
> This behavior was most likely broken when the referrals code was added.
So it's a regression. Until this is fixed properly (which I don't claim my
patch does :-) ) I'm possibly need of a workaround. Do you see anything wrong
with t
Jos Backus wrote:
(I know, following up on myself...)
http://web.mit.edu/kerberos/www/krb5-1.6/krb5-1.6.3/doc/krb5-admin.html#Using-DNS
says:
"The second mechanism works by looking up the information in special TXT
records in the Domain Name Service. This is currently not used by default
becau
(I know, following up on myself...)
http://web.mit.edu/kerberos/www/krb5-1.6/krb5-1.6.3/doc/krb5-admin.html#Using-DNS
says:
"The second mechanism works by looking up the information in special TXT
records in the Domain Name Service. This is currently not used by default
because security holes co
Our setup employs two Kerberos realms, PROD.FOO.COM and DEV.FOO.COM under a
single DNS domain, foo.com. It would appear that dns_lookup_realm and the
addition of TXT RRs are supposed to handle this situation but it doesn't
appear to work.
Setup:
CentOS 5.1, krb5-1.6.1 RPMs.
kerberos1-dev.foo.com
17 matches
Mail list logo