[OpenAFS] differences between aklog on Windows and Unix?
Jeffrey Hutzelman
jhutz@cmu.edu
Thu, 26 Jan 2006 18:00:54 -0500
On Thursday, January 26, 2006 11:08:02 AM -0500 Ken Hornstein
<kenh@cmf.nrl.navy.mil> wrote:
>> Also, the use of TXT records to determine which realm a service
>> belongs to is insecure and is disabled by default in MIT Kerberos.
>> You would need to explicitly enable this functionality in your
>> krb5.ini file in order to use it.
>
> I will note that NO ONE has EVER explained to me how this is more
> insecure if you are canonicalizing DNS names ... which everyone does.
And which we specifically prohibited in RFC4120.
Everyone does it because it's what the implementations have always done,
and making the transition is hard -- especially when some widely-deployed
implementations still use the old behavior by default.
I will note that I have written multiple implementations which avoided
krb_get_phost or krb5_sname_to_principal specifically for this reason. It
has never made me happy.
-- Jeff