[Review Request] Kerberose 5 patch. Version two!

Tillman Hodgson tillman at seekingfire.com
Thu Sep 4 17:15:37 UTC 2003 

On Thu, Sep 04, 2003 at 04:23:53PM +0100, Ceri Davies wrote:
> On Wed, Sep 03, 2003 at 04:36:16PM -0400, Tom Rhodes wrote:
> > All,
> > 
> > Ok, after finally digging through the large amount of comments in
> > my email, and finding some free time to actually apply them, I have
> > produced another version.  This mixes comments from everyone who
> > send any, and I hope this looks good.
> 
> Tom,
> 
> I forwarded this to my brother, who recently set up a Kerberos5 installation
> (albeit on NetBSD), and he came back with the attached comments.
> 
> Hope they help.
> 
> Ceri

> From rasputin at idoru.mine.nu Thu Sep 04 14:52:39 2003
> Return-path: <rasputin at idoru.mine.nu>
> Envelope-to: setantae at submonkey.net
> Delivery-date: Thu, 04 Sep 2003 14:52:39 +0100
> Received: from shaft.techsupport.co.uk ([212.250.77.214])
> 	by shrike.submonkey.net with esmtp (TLSv1:DHE-RSA-AES256-SHA:256)
> 	(Exim 4.22)
> 	id 19uuXL-0007ah-KY
> 	for setantae at submonkey.net; Thu, 04 Sep 2003 14:52:35 +0100
> Received: from pc2-cdif1-6-cust172.cdif.cable.ntl.com
> 	([80.3.231.172] helo=idoru.mine.nu ident=8136-ident-is-a-completely-pointless-protocol-that-offers-no-security-or-traceability-at-all-so-take-this-and-log-it!)
> 	by shaft.techsupport.co.uk with esmtp (TLSv1:EDH-RSA-DES-CBC3-SHA:168)
> 	(Exim 4.20)
> 	id 19uuXJ-0004Al-PB
> 	for setantae at submonkey.net; Thu, 04 Sep 2003 14:52:33 +0100
> Received: from rasputin by idoru.mine.nu with local (Exim 4.10)
> 	id 19uuXH-0006vk-00
> 	for setantae at submonkey.net; Thu, 04 Sep 2003 14:52:31 +0100
> Date: Thu, 4 Sep 2003 14:52:31 +0100
> From: Rasputin <rasputin at idoru.mine.nu>
> To: Ceri Davies <setantae at submonkey.net>
> Subject: Re: [trhodes at FreeBSD.org: [Review Request] Kerberose 5 patch.  Version two!]
> Message-ID: <20030904135231.GA24693 at lb.tenfour>
> Reply-To: Rasputin <rasputin at idoru.mine.nu>
> References: <20030904100736.GB25063 at submonkey.net> <20030904121506.GA23968 at lb.tenfour> <20030904122856.GC25063 at submonkey.net> <20030904123147.GA18323 at lb.tenfour> <20030904130235.GF25063 at submonkey.net>
> Mime-Version: 1.0
> Content-Type: text/plain; charset=us-ascii
> Content-Disposition: inline
> In-Reply-To: <20030904130235.GF25063 at submonkey.net>
> User-Agent: Mutt/1.4.1i
> X-Spam-Status: No, hits=-8.9 required=5.0
> 	tests=AWL,BAYES_20,IN_REP_TO,REFERENCES,USER_AGENT_MUTT
> 	autolearn=ham version=2.55
> X-Spam-Level: 
> X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp)
> Status: RO
> Content-Length: 2323
> Lines: 64
> 
> * Ceri Davies <setantae at submonkey.net> [0902 14:02]:
> 
> Ta for that, it all looks good. I'm surprised by 3 bits though.
> [ I assume you have the same Heimdal distro as us,if you don't
> that would explain 2) and 3) ]
> 
> 1) "   For purposes of demonstrating a Kerberos installation, the various
>    namespaces will be handled as follows:
>      * The DNS domain (``zone'') will be example.org.
>      * The Kerberos realm will be example.org.
> 
>      Note: Please use real domain names when setting up Kerberos even if
>      you intend to run it internally. This avoids DNS problems and
>      assures interoperation with other Kerberos realms.
> "
> I know it's only a convention, but I'd still put the realm name in caps.

I agree - my original draft had it in all caps. I suspect it got lost
when the .prv TLDs were changed to .org.

> 2) "10.7.2 Setting up a Heimdal KDC
> 
>    Next we will set up your Kerberos config file, /etc/krb5.conf:
> [libdefaults]
>     default_realm = example.org
> .
> .
> .
> "
> 
> If you set up BIND properly, that's all you need in krb5/conf, see:
<snip>

I can see your point. I use DNS for my own realms and it does work quite
well.

My arguments for doing it the krb5.conf way:

* You still require a minimal krb5.conf in any case, so putting the
  server information in there results in fewer installation steps. This
  isn't what I do for a large production environment, but it is what
  I'd do for a short tutorial.

* I wanted to avoid creating dependencies - the user may not want to
  use bind.

* The DNS method tends to break kadmin if you run multiple realms off of
  the same KDC. Explaining how to run kadmind on alternate ports is
  beyond the scope of a Handbook chapter IMO.

Would a reference to Kerberos and DNS work?

> 3) "10.7.8.2 Kerberos is intended for single-user workstations
> 
>    In a multi-user environment, Kerberos is less secure. This is because
>    it stores the tickets in the /tmp directory, which is readable by all
>    users. If a user is sharing a computer with several other people
>    simultaneously (i.e. multi-user), it is possible that the user's
>    tickets can be stolen (copied) by another user."
> 
> If the files are world-readable in /tmp then I agree,
> but to be honest that's a bug that shouldbefixed.

It's not probably not completely fixable - whoever has root powers has
the capability to "become" any user by using their Kerberos ticket.
Granted, root has that power already but this extends it beyond the
local machine. Users may not expect (or want) that.

Great comments, thanks!

-T


-- 
Some are born to Enlightenment, some achieve Enlightenment, and others
have Enlightenment larted upon them.
    - A.S.R. quote (Greg)

More information about the freebsd-doc mailing list