[29752] in Kerberos
Re: Is a Kerberos principal always a DNS name?
daemon@ATHENA.MIT.EDU (Douglas E. Engert)
Thu Apr 24 14:09:34 2008
Message-ID: <4810CC21.9030001@anl.gov>
Date: Thu, 24 Apr 2008 13:06:25 -0500
From: "Douglas E. Engert" <deengert@anl.gov>
MIME-Version: 1.0
CC: kerberos@mit.edu
In-Reply-To: <fupovd$25qp$1@relay.tomsk.ru>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Victor Sudakov wrote:
> Colleagues,
>
> Is a Kerberos principal always a DNS name? Can't an IP literal be used?
I think they must be names, but don't have to be in DNS. The name could
be in /etc/hosts. The client and server must agree on the name of the
server, and the KDC has to have a service principal for the server.
IPs don't tend to work, and the IP number of the service changes,
with DHCP for example, each service would have to have a keytab
with the old and new IP numbers, which is not practical, and could
have some security issues.
>
>
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
