Jeffrey Hutzelman wrote: > No, that would be a horrible solution. It's terribly insecure, and > introduces Kerberos-specific behavior at a time when we're trying to > move forward with a mechanism-independent security class. Really, Jeff, > you should know better.
You are correct. Any such implementation should provide a list of supported security classes and class specific hints for use in client authentication. I'm not sure I see that attack you are thinking of. The use of DNS TXT record lookups to determine the Kerberos realm for a service is insecure because there is no method of validating the reply. While it is true that the reply to an unauthenticated afs service query can be tampered with, once the credentials are obtained by aklog they can be used to perform an authenticated query to verify the initial results. Jeffrey Altman
smime.p7s
Description: S/MIME Cryptographic Signature
