On 10 Mar 2010, at 20:17, Russ Allbery wrote:
I don't know to what extent this is
applicable to rxgk, since it has a separate rxgk service, but it may
be of
interest and is at least worth reviewing.
Thanks for the pointer. The attacks in that document aren't relevant
to rxgk, because we don't use any information derived from the DNS in
determining the acceptor identity.
rxgk defines the GSSAPI acceptor as being r...@_afs.<cellname>. For
Kerberos sites, this has the advantage if their cellname is a DNS
name, then their existing domain->realm mapping rules should take care
of determining the realm of the principal.
S.
_______________________________________________
AFS3-standardization mailing list
[email protected]
http://michigan-openafs-lists.central.org/mailman/listinfo/afs3-standardization
