[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: your mail
- To: tech_(_at_)_openbsd_(_dot_)_org
- Subject: Re: your mail
- From: Antoine Verheijen <antoine_(_at_)_nihon_(_dot_)_ucs_(_dot_)_ualberta_(_dot_)_ca>
- Date: Thu, 20 Jul 2000 13:28:08 -0600 (MDT)
> On Thu, 20 Jul 2000, Antoine Verheijen wrote:
> > No ... I'm sorry ... you're wrong. This is the way it work in OpenBSD, not
> > way it works in krb4. The decision to use the short hostname name instead
> > of the fqdn is purely arbitrary and at the descretion of the application
> > or service.
> um, no. go look at any other krb4 code, including Kerberized Mac and
> Windows clients. see krb_get_phost(). if you wanted to "fix" this in one
> fell swoop, you'd modify that routine to return the FQDN, but as hin says,
> at the expense of interoperability with all other krb4 implementations.
The fact is, I use the kerberized Mac code (NiftyTelnet w/SSH) and it will
not perform Kerberos authentication against OpenBSD using tickets unless
I obtain a service key with an instance of the FQDN. That's part of where
my grief began. This was before I made any changes whatsoever to OpenBSD.
> > Note, for exmaple, that OpenBSD inconsistently uses the fqdn for
> > "Kerberized" telnet but uses the short name elsewhere.
> can you point me to the relevant code snippet? if it does, this is wrong.
> > Furthermore, the suggested change is completely backward compatible
> > with the way it works now: if the fqdn doesn't work, the short name is
> > then tried, just as it was before.
> but it's a site-specific hack, requiring two keys per host, and still
> breaking interoperability with all other krb4 implementations.
This has been addressed in other messages. :-)
> > Short machine names should never be used, particularly where security
> > is issue.
> agreed, but this is why they fixed this in krb5. neither should "root" be
> allowed as a Kerberos principal, IMO, but whatever - Kerberos sucks!
You're right: root should not be permitted. That's easy enough as an admin.
Frankly, I quite like Kerberos, myself. Go figure. :-)
Antoine Verheijen Email: Antoine_(_dot_)_Verheijen_(_at_)_UAlberta_(_dot_)_CA
CNS Network Services Phone: (403) 492-9312
University of Alberta Fax: (403) 492-1729
Visit your host, monkey.org