[Ach] Short kerberos section review
Denis Knauf
denis.knauf+ach at gmail.com
Sun Feb 2 18:38:15 CET 2014
Hi,
i read the pull-request:
https://github.com/arwarw/Applied-Crypto-Hardening/commit/c7a48ec9db5b41a0faf970bcb37895362230cad3
First, i tried the configuration for mit-krb5 1.10.1 on debian/ubuntu,
it works fine for me.
With default it worked fine, too, but with des3, not aes, for example.
I can't say, what you need to know. It's like expected, an overview
about algorithm and possible problems with different implementations,
hints for existing installations and a working configuration. He has
experience or is an expert; knows the problems with DNSSEC and NTP.
Updating an existing a existing installation i did not test - i
installed a complete new server on a new machine. Because incompatible
algorithms-changes, it is possible, it could fail.
One thing, I miss: To advise, it's very important, that kerberos needs a
really secure machine as server. So, it's better to run only kerberos on
this server, nothing else.
The defaults of kerberos-servers are very stupid. it is really
important to change it manually. It's important to advice.
This pull-request is better than every default conf, so i say, pull it.
Denis
More information about the Ach
mailing list