[Ach] Short kerberos section review

Denis Knauf denis.knauf+ach at gmail.com
Sun Feb 2 18:38:15 CET 2014


Hi,

i read the pull-request:
https://github.com/arwarw/Applied-Crypto-Hardening/commit/c7a48ec9db5b41a0faf970bcb37895362230cad3
First, i tried the configuration for mit-krb5 1.10.1 on debian/ubuntu,
it works fine for me.
With default it worked fine, too, but with des3, not aes, for example.

I can't say, what you need to know. It's like expected, an overview
about algorithm and possible problems with different implementations,
hints for existing installations and a working configuration. He has
experience or is an expert; knows the problems with DNSSEC and NTP.

Updating an existing a existing installation i did not test - i
installed a complete new server on a new machine. Because incompatible
algorithms-changes, it is possible, it could fail.

One thing, I miss: To advise, it's very important, that kerberos needs a
really secure machine as server. So, it's better to run only kerberos on
this server, nothing else.

The defaults of kerberos-servers are very stupid. it is really
important to change it manually. It's important to advice.
This pull-request is better than every default conf, so i say, pull it.

Denis



More information about the Ach mailing list