[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: 2 questions

> after using MIT Kerberos I am new to Heimdal Kerberos and would  
> like to ask one rather practical and another rather theoretical  
> question:
> 1) Which configuration information has priority: the one provided  
> by DNS or the one from the local configuration file /etc/krb5.conf  
> (I got some strange effects with a fresh Heimdal test installation  
> in the context of a different MIT production installation)?

Order is:

plugin, configuration file, dns srv-rr, dns a-rr for kerberos 

> 2) Does the recent Heimdal 0.8.1 implementation of pk-init take  
> care of the issues raised in "Breaking and Fixing Public-Key  
> Kerberos" (I. Cervesato, A.D. Jaggard, A. Scedrov, J.-K. Tsay, and  
> C. Walstad) which resulted in the latest IETF draft?

In the client, yes. I didn't see any need to support it in the old  
windows 2000 protocol given that XP and friends doesn't use it.

I was proven wrong, and the kdc will support it in heimdal-0.9 which  
I should release "soon".

> This pkinit extension comes very handy e.g. wishing to combine the  
> Kerberos related AFS file service and grid computing with key/ 
> certificate based authentication.

The pkinit code in heimdal also support proxy certs, but it have to  
be turned on explicitly.