[Review Request]: Kerberos5 final draft

Ceri Davies ceri at FreeBSD.org
Thu Sep 4 18:28:42 UTC 2003 

On Thu, Sep 04, 2003 at 01:34:02PM -0400, Tom Rhodes wrote:
> Greetings -doc team, Robert,
> 
> Please see the diff and give me feedback.  This has already gone
> through a good review on -doc so I'm only really waiting for Robert's
> review.  Although I want to get any final comments or "please commit's"
> now.

OK, here are my comments (the ones I posted earlier were not from me,
but posted on behalf of my brother), from a quick scan.

       servers – meaning that external entities can connect and talk

This isn't your text, but should that be —?

 +    <itemizedList>
 +      <listitem>
 +	<para>The <acronym>DNS</acronym> domain (<quote>zone</quote>)
 +	  will be EXAMPLE.ORG.</para>

The itemizedlist should be all lowercase.

 +	<para>The <application>Kerberos</application> realm will be
 +	  EXAMPLE.ORG.</para>
 +      </listitem>
 +    </itemizedList>

Ditto.

 +      <para>Please use real domain names when setting up
 +	<application>Kerberos</application> even if you intend to run
 +	it internally.  This avoids <acronym>DNS</acronym> problems
 +	and assures interoperation with other
 +	<application>Kerberos</application> realms.</para>

Now, I don't to be fussy, but above you've replaced "internetwork.." with
"inter-network", so I don't know if that should be "inter-operate" or not,
but ispell seems to think so.

 +      default_realm = example.org</programlisting>
 +
 +	<para>With the following lines being appended to the
 +	  <hostid role="fqdn">exmple.org</hostid> zonefile:</para>
 +
 +	<programlisting>_kerberos._udp      IN  SRV     01 00 88 kerberos.example.org.
 +_kerberos._tcp      IN  SRV     01 00 88 kerberos.example.org.

s/exmple/example/


 +	  <listitem>
 +	    <para><acronym>MIT</acronym> and Heimdal interoperate nicely.
 +	      Except for <command>kadmin</command>, the protocol for
 +	      which is not standardized.</para>
 +	  </listitem>

See above comment regarding the hyphen.


 +	      <filename>/etc/hosts</filename> as a minimum).  CNAMEs
 +	      will work, but the A and PTR records must be correct and in
 +	      place. The error message isn't very intuitive:
 +	      <errorname>KerberosV5 refuses authentication because Read req
 +	      failed: Key table entry not found</errorname>.</para>
 +	  </listitem>

You use "KerberosV5" here, but "Kerberos5" everywhere else.


 +	  <para><application>Kerberos</application> allows users, hosts
 +	    and services to authenticate between themselves.  It does not
 +	    have a mechanism to authenticate the <acronym>KDC</acronym>
 +	    to the users, hosts or services.  This means that a trojaned
 +	    <command>kinit</command> (for example) could record all user
 +	    names and passwords.  Something like
 +	    <filename role="package">security/tripwire</filename> or

I think "trojaned" is normally spelled "trojanned" (but I can't be sure,
because it's not a real word).

 +	  <application>Kerberos</application> home page</ulink></para>
 +	</listitem>
 +
 +	</itemizedList>
 +
 +    </sect2>
 +  </sect1>

Capitalisation of "itemizedlist" again.


I have attached a diff against your diff containing fixes for all the above,
but feel free to not use any you don't agree with.

Ceri
-- 
User: DO YOU ACCEPT JESUS CHRIST AS YOUR PERSONAL LORD AND SAVIOR?
Iniaes: Sure, I can accept all forms of payment.
                                           -- www.chatterboxchallenge.com
-------------- next part --------------
--- trhodes.bak	Thu Sep  4 19:15:00 2003
+++ trhodes	Thu Sep  4 19:19:25 2003
@@ -77,7 +77,7 @@
 --- chapter.sgml	Thu Sep  4 13:12:30 2003
 +++ chapter.new	Thu Sep  4 13:19:05 2003
 @@ -106,7 +106,7 @@
-       servers – meaning that external entities can connect and talk
+       servers — meaning that external entities can connect and talk
        to them.  As yesterday's mini-computers and mainframes become
        today's desktops, and as computers become networked and
 -      internetworked, security becomes an even bigger issue.</para>
@@ -153,7 +153,7 @@
 +    <para>For purposes of demonstrating a <application>Kerberos</application>
 +      installation, the various namespaces will be handled as follows:</para>
 +
-+    <itemizedList>
++    <itemizedlist>
 +      <listitem>
 +	<para>The <acronym>DNS</acronym> domain (<quote>zone</quote>)
 +	  will be EXAMPLE.ORG.</para>
@@ -163,13 +163,13 @@
 +	<para>The <application>Kerberos</application> realm will be
 +	  EXAMPLE.ORG.</para>
 +      </listitem>
-+    </itemizedList>
++    </itemizedlist>
 +
 +    <note>
 +      <para>Please use real domain names when setting up
 +	<application>Kerberos</application> even if you intend to run
 +	it internally.  This avoids <acronym>DNS</acronym> problems
-+	and assures interoperation with other
++	and assures inter-operation with other
 +	<application>Kerberos</application> realms.</para>
 +    </note>
 +
@@ -273,7 +273,7 @@
 +      default_realm = example.org</programlisting>
 +
 +	<para>With the following lines being appended to the
-+	  <hostid role="fqdn">exmple.org</hostid> zonefile:</para>
++	  <hostid role="fqdn">example.org</hostid> zonefile:</para>
 +
 +	<programlisting>_kerberos._udp      IN  SRV     01 00 88 kerberos.example.org.
 +_kerberos._tcp      IN  SRV     01 00 88 kerberos.example.org.
@@ -559,7 +559,7 @@
 +	  </listitem>
 +
 +	  <listitem>
-+	    <para><acronym>MIT</acronym> and Heimdal interoperate nicely.
++	    <para><acronym>MIT</acronym> and Heimdal inter-operate nicely.
 +	      Except for <command>kadmin</command>, the protocol for
 +	      which is not standardized.</para>
 +	  </listitem>
@@ -578,7 +578,7 @@
 +	      <filename>/etc/hosts</filename> as a minimum).  CNAMEs
 +	      will work, but the A and PTR records must be correct and in
 +	      place. The error message isn't very intuitive:
-+	      <errorname>KerberosV5 refuses authentication because Read req
++	      <errorname>Kerberos5 refuses authentication because Read req
 +	      failed: Key table entry not found</errorname>.</para>
 +	  </listitem>
 +
@@ -784,7 +784,7 @@
 +	  <para><application>Kerberos</application> allows users, hosts
 +	    and services to authenticate between themselves.  It does not
 +	    have a mechanism to authenticate the <acronym>KDC</acronym>
-+	    to the users, hosts or services.  This means that a trojaned
++	    to the users, hosts or services.  This means that a trojanned
 +	    <command>kinit</command> (for example) could record all user
 +	    names and passwords.  Something like
 +	    <filename role="package">security/tripwire</filename> or
@@ -825,7 +825,7 @@
 +	  <application>Kerberos</application> home page</ulink></para>
 +	</listitem>
 +
-+	</itemizedList>
++	</itemizedlist>
 +
 +    </sect2>
 +  </sect1>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-doc/attachments/20030904/08faac06/attachment.sig>

More information about the freebsd-doc mailing list