[1899] in Kerberos_V5_Development
Re: Default getting of V4 tickets
daemon@ATHENA.MIT.EDU (Richard Basch)
Tue Oct 29 10:43:50 1996
Date: Tue, 29 Oct 1996 10:41:42 -0500
To: "Theodore Y. Ts'o" <tytso@MIT.EDU>
Cc: krbdev@MIT.EDU
In-Reply-To: <9610291517.AA08626@dcl.MIT.EDU>
From: "Richard Basch" <basch@lehman.com>
On Tue, 29-October-1996, "Theodore Y. Ts'o" wrote to "krbdev@MIT.EDU" saying:
> I propose that we turn *off* the default getting of V4 tickets in
> bsd/appl/login.c, and make people explicitly turn it on (by editing
> krb5.conf) if they want it.
>
> The rationale is that people who aren't doing V4 compatibility don't
> need the extra hair, and currently the V4 library code has
> ATHENA.MIT.EDU hard-coded as the default realm of krb.conf doesn't
> exist. This causes a name resolution to kerberos.athena.mit.edu, which
> is pointless (fortunately it doesn't exist, or it would get hosed with
> random Kerberos requests).
>
> Another solution is to put in the support in the V4 library to use the
> V5 krb5.conf file instead. There was talk of doing this, and it may
> even may be how things are done in the Cygnus release, but it's not done
> now. It's also not clear to me whether or not this is really a good
> idea by default. In any case, simply turning off the default behavior
> in appl/bsd/login.c is by far the most risk-free way of fixing the
> problem, so that's what I would propose we do.
>
> Comments?
I concur that the V4 requests should be disabled. Also, in the long
term, would it not be better to use the 524 interface instead? After
all, if a site wishes to use pre-authentication to avoid dictionary
attacks on the user passwords, it might be better if we require them to
use a challenge-response to obtain the initial tickets and then use the
compatibility interface to obtain the older version tickets when the
user has sufficiently passed the pre-authentication method.
--
Richard Basch
Sr. Developer/Analyst, DSO URL: http://web.mit.edu/basch/www/home.html
Lehman Brothers, Inc. Email: basch@lehman.com, basch@mit.edu
101 Hudson St., 38th Floor Fax: +1-201-524-5828
Jersey City, NJ 07302-3988 Voice: +1-201-524-5049
