>Indeed, it should. What Russ is alluding to here is the fact that most >aklog's determine what realm to use by applying the normal Kerberos >host-to-realm mapping on the hostname of one of the DB servers. Of course, >this introduces all sorts of security issues related to trusting the names >in AFSDB records, but that's been true for a while.
You know, I've never been happy that aklog does that (I can't take all the blame for that one; it was like that when I first got aklog). I understand why it was done, but it was always a kludge. What do people think about the idea of having an AFS RPC which said, "Hey, what's your Kerberos realm?" This would have to be done unauthenticated of course, so I don't see it being any better from a security standpoint, but it would solve this particular problem, and it really makes more sense. (Since you don't forward TGTs to AFS fileservers, I don't view it as a huge problem .... I admit it's not ideal and depending on what you do with AFS I can think of some interesting possible attacks, but it's certainly not worse than anything people are doing now). --Ken _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
