kclient version 2 [PSARC/2007/401 FastTrack timeout 07/13/2007]
Nicolas Williams
Nicolas.Williams at sun.com
Mon Jul 9 08:52:58 PDT 2007
On Mon, Jul 09, 2007 at 01:11:59AM +0200, Roland Mainz wrote:
> James Carlson wrote:
> > > -T kdc_vendor: specify the KDC of the client to be of kdc_vendor. Supported
> > > vendors are currently:
> > > ms_ad: Microsoft Active Directory
> > > mit: MIT KDC server
> > > heimdal: Heimdal KDC server
> > > shishi: Shishi KDC server
> >
> > Why does the user have to specify this? Is there no way for the
> > client implementation to detect the proper KDC variant to use?
>
> Erm, AFAIK this will end like the HTTP's "User-Agent:" - you cannot rely
> on the value since the submitter may change it intentionally in some
> cases to emulate other clients (for example Mozilla/FireFox allows to
> set the "User-Agent:" string to any value and other browsers like
> Konqueror have a sophosticated feature to set a specific User-Agent
> value per domain or URL).
> IMO it would be nice to keep such an option around...
The Kerberos V protocol is effectively a standard (Proposed Standard in
IETF parlance), and interoperable.
However there is no standard password changing protocol for Kerberos V,
and there is an abundance of non-interoperable protocols for that:
- MIT kpasswd v1
- RFC3244 (what MS AD implements), an extension of MIT kpasswd v1)
- kadmin with AUTH_GSSAPI
- kadmin with RPCSEC_GSS
- Heimdal's kadmin
The client needs to know which password changing protocol to try.
The client could probe to find out. For the three protocols that
Solaris 10 supports this should be feasible without much difficulty or
pain for the user. But even if the i-team could implement auto-
detection of this, avoiding auto-detection means avoiding potential
downgrade attacks.
IOW, I can see a future case adding auto-detection support for this sort
of thing as a default, but I'm not sure that we'll not want to provide
an option to tie things down.
OTOH, I am mildly concerned that kclient probably doesn't record the -T
option anywhere.
Nico
--
More information about the opensolaris-arc
mailing list