On Thursday, January 26, 2006 11:08:02 AM -0500 Ken Hornstein
<[EMAIL PROTECTED]> wrote:
Also, the use of TXT records to determine which realm a service
belongs to is insecure and is disabled by default in MIT Kerberos.
You would need to explicitly enable this functionality in your
krb5.ini file in order to use it.
I will note that NO ONE has EVER explained to me how this is more
insecure if you are canonicalizing DNS names ... which everyone does.
And which we specifically prohibited in RFC4120.
Everyone does it because it's what the implementations have always done,
and making the transition is hard -- especially when some widely-deployed
implementations still use the old behavior by default.
I will note that I have written multiple implementations which avoided
krb_get_phost or krb5_sname_to_principal specifically for this reason. It
has never made me happy.
-- Jeff
_______________________________________________
OpenAFS-info mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-info
