CVS commit: wikisrc/kerberos

To: www-changes%NetBSD.org@localhost
Subject: CVS commit: wikisrc/kerberos
From: Taylor R Campbell <riastradh%netbsd.org@localhost>
Date: Mon, 5 Jun 2023 23:50:44 +0000

Module Name:    wikisrc
Committed By:   riastradh
Date:           Mon Jun  5 23:50:44 UTC 2023

Modified Files:
        wikisrc/kerberos: system.mdwn

Log Message:
kerberos/system: Simplify and fix instructions for NetBSD.

Using ~/.krb5/config sidesteps issues with pam_krb5 or anything like
it.

Setting as-is:match_domain=netbsd.org:

1. plugs the CNAME-chasing vulnerability
   (https://github.com/heimdal/heimdal/issues/1130); and

2. is necessary for wiki.n.o which has a CNAME to www46.n.o but uses
   service principal HTTP/wiki.netbsd.org%NETBSD.ORG@localhost, so it simply
   doesn't work with CNAME-chasing.

However, this limits the canonicalization rule to netbsd.org in case
the user relies on kerberized services in other Kerberos realms that
foolishly rely on the CNAME-chasing vulnerability.


To generate a diff of this commit:
cvs rdiff -u -r1.14 -r1.15 wikisrc/kerberos/system.mdwn

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Prev by Date: CVS commit: wikisrc/users/wiz
Next by Date: CVS commit: wikisrc/kerberos
Previous by Thread: CVS commit: wikisrc/users/wiz
Next by Thread: CVS commit: wikisrc/kerberos
Indexes:

Home | Main Index | Thread Index | Old Index