[krb5/f17] Change back dns_lookup_kdc to the default
Nalin Dahyabhai
nalin at fedoraproject.org
Tue Mar 20 22:24:04 UTC 2012
commit 8b8707d260012c1a7e51b25a2fa9e488418c171d
Author: Stef Walter <stefw at redhat.com>
Date: Tue Mar 20 21:45:43 2012 +0100
Change back dns_lookup_kdc to the default
The specifications recommend against using TXT records to mapping
hostnames to realms. However they do not recommend against using
SRV records to lookup the KDC.
Change back to the MIT default of enabling DNS for KDC lookup.
This allows automatic configuration and failover.
A theoretical attack involving SRV records could be similarly
accomplished by a similar attack involving the A records for
the KDC hosts.
krb5.conf | 1 -
1 files changed, 0 insertions(+), 1 deletions(-)
---
diff --git a/krb5.conf b/krb5.conf
index 33ec1cc..b2e0a25 100644
--- a/krb5.conf
+++ b/krb5.conf
@@ -6,7 +6,6 @@
[libdefaults]
default_realm = EXAMPLE.COM
dns_lookup_realm = false
- dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
More information about the scm-commits
mailing list