[29760] in Kerberos
Re: Is a Kerberos principal always a DNS name?
daemon@ATHENA.MIT.EDU (Victor Sudakov)
Thu Apr 24 22:31:32 2008
From: Victor Sudakov <vas@mpeks.no-spam-here.tomsk.su>
Date: Fri, 25 Apr 2008 02:02:27 +0000 (UTC)
Message-ID: <fure3j$vvq$2@relay.tomsk.ru>
X-Complaints-To: noc@sibptus.tomsk.ru
X-Comment-To: "Douglas E. Engert" <deengert@anl.gov>
To: kerberos@mit.edu
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Douglas E. Engert wrote:
> >
> > Is a Kerberos principal always a DNS name? Can't an IP literal be used?
> I think they must be names, but don't have to be in DNS. The name could
> be in /etc/hosts. The client and server must agree on the name of the
> server, and the KDC has to have a service principal for the server.
> IPs don't tend to work, and the IP number of the service changes,
> with DHCP for example, each service would have to have a keytab
> with the old and new IP numbers, which is not practical, and could
> have some security issues.
I thought that sometimes it would be convenient to have a principal
like host/[10.1.1.1]@MY.REALM to be able to ssh into 10.1.1.1 without
giving it a name. This is not possible, is it?
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
2:5005/49@fidonet http://vas.tomsk.ru/
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
