[OpenAFS] differences between aklog on Windows and Unix?
Ken Hornstein
kenh@cmf.nrl.navy.mil
Thu, 26 Jan 2006 11:08:02 -0500
>Also, the use of TXT records to determine which realm a service
>belongs to is insecure and is disabled by default in MIT Kerberos.
>You would need to explicitly enable this functionality in your
>krb5.ini file in order to use it.
I will note that NO ONE has EVER explained to me how this is more
insecure if you are canonicalizing DNS names ... which everyone does.
>From that draft:
This is not an exploit of the Kerberos protocol but of the Kerberos
trust model. The same can be done to any application that must
resolve the hostname in order to determine which domain a non-FQDN
belongs to.
I suppose I can see a case where you're getting stuff out of
CellServDB; those names are already FQDNs. But if you're looking up
your AFS cell information via AFSDB records, then you're already in the
same boat.
--Ken