[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: 2 questions
> after using MIT Kerberos I am new to Heimdal Kerberos and would
> like to ask one rather practical and another rather theoretical
> question:
>
> 1) Which configuration information has priority: the one provided
> by DNS or the one from the local configuration file /etc/krb5.conf
> (I got some strange effects with a fresh Heimdal test installation
> in the context of a different MIT production installation)?
Order is:
plugin, configuration file, dns srv-rr, dns a-rr for kerberos
{,-1,-2,-3,..}.realm-name
> 2) Does the recent Heimdal 0.8.1 implementation of pk-init take
> care of the issues raised in "Breaking and Fixing Public-Key
> Kerberos" (I. Cervesato, A.D. Jaggard, A. Scedrov, J.-K. Tsay, and
> C. Walstad) which resulted in the latest IETF draft?
In the client, yes. I didn't see any need to support it in the old
windows 2000 protocol given that XP and friends doesn't use it.
I was proven wrong, and the kdc will support it in heimdal-0.9 which
I should release "soon".
> This pkinit extension comes very handy e.g. wishing to combine the
> Kerberos related AFS file service and grid computing with key/
> certificate based authentication.
The pkinit code in heimdal also support proxy certs, but it have to
be turned on explicitly.
Love
- References:
- 2 questions
- From: Wolfgang Gehrke <wgehrke@dia.uniroma3.it>