[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: your mail

To: tech_(_at_)_openbsd_(_dot_)_org
Subject: Re: your mail
From: Antoine Verheijen <antoine_(_at_)_nihon_(_dot_)_ucs_(_dot_)_ualberta_(_dot_)_ca>
Date: Thu, 20 Jul 2000 13:28:08 -0600 (MDT)

> 
> On Thu, 20 Jul 2000, Antoine Verheijen wrote:
> 
> > No ... I'm sorry ... you're wrong. This is the way it work in OpenBSD, not
> > way it works in krb4. The decision to use the short hostname name instead
> > of the fqdn is purely arbitrary and at the descretion of the application
> > or service.
> 
> um, no. go look at any other krb4 code, including Kerberized Mac and
> Windows clients. see krb_get_phost(). if you wanted to "fix" this in one
> fell swoop, you'd modify that routine to return the FQDN, but as hin says,
> at the expense of interoperability with all other krb4 implementations.

The fact is, I use the kerberized Mac code (NiftyTelnet w/SSH) and it will
not perform Kerberos authentication against OpenBSD using tickets unless
I obtain a service key with an instance of the FQDN. That's part of where
my grief began. This was before I made any changes whatsoever to OpenBSD.

> 
> > Note, for exmaple, that OpenBSD inconsistently uses the fqdn for
> > "Kerberized" telnet but uses the short name elsewhere.
> 
> can you point me to the relevant code snippet? if it does, this is wrong.
> 
> > Furthermore, the suggested change is completely backward compatible
> > with the way it works now: if the fqdn doesn't work, the short name is
> > then tried, just as it was before.
> 
> but it's a site-specific hack, requiring two keys per host, and still
> breaking interoperability with all other krb4 implementations.

This has been addressed in other messages. :-)

> 
> > Short machine names should never be used, particularly where security
> > is issue.
> 
> agreed, but this is why they fixed this in krb5. neither should "root" be
> allowed as a Kerberos principal, IMO, but whatever - Kerberos sucks!

You're right: root should not be permitted. That's easy enough as an admin.
Frankly, I quite like Kerberos, myself. Go figure. :-)

> 
> -d.
> 
> ---
> http://www.monkey.org/~dugsong/
> 
> 
> 


-----------------------------------------------------------------------
Antoine Verheijen                  Email: Antoine_(_dot_)_Verheijen_(_at_)_UAlberta_(_dot_)_CA
CNS Network Services               Phone: (403) 492-9312
University of Alberta              Fax:   (403) 492-1729

Follow-Ups:
- Re: your mail
  - From: Dug Song

References:
- Re: your mail
  - From: Dug Song

Prev by Date: Re: your mail
Next by Date: Re: your mail
Previous by thread: Re: your mail
Next by thread: Re: your mail
Index(es):
- Date
- Thread

Visit your host, monkey.org