WWW-Changes archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

CVS commit: wikisrc/kerberos

Module Name:    wikisrc
Committed By:   riastradh
Date:           Mon Jun  5 23:50:44 UTC 2023

Modified Files:
        wikisrc/kerberos: system.mdwn

Log Message:
kerberos/system: Simplify and fix instructions for NetBSD.

Using ~/.krb5/config sidesteps issues with pam_krb5 or anything like

Setting as-is:match_domain=netbsd.org:

1. plugs the CNAME-chasing vulnerability
   (https://github.com/heimdal/heimdal/issues/1130); and

2. is necessary for wiki.n.o which has a CNAME to www46.n.o but uses
   service principal HTTP/wiki.netbsd.org%NETBSD.ORG@localhost, so it simply
   doesn't work with CNAME-chasing.

However, this limits the canonicalization rule to netbsd.org in case
the user relies on kerberized services in other Kerberos realms that
foolishly rely on the CNAME-chasing vulnerability.

To generate a diff of this commit:
cvs rdiff -u -r1.14 -r1.15 wikisrc/kerberos/system.mdwn

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Home | Main Index | Thread Index | Old Index