[29764] in Kerberos
Re: Is a Kerberos principal always a DNS name?
daemon@ATHENA.MIT.EDU (Douglas E. Engert)
Fri Apr 25 10:31:57 2008
Message-ID: <4811EABE.2010201@anl.gov>
Date: Fri, 25 Apr 2008 09:29:18 -0500
From: "Douglas E. Engert" <deengert@anl.gov>
MIME-Version: 1.0
CC: kerberos@mit.edu
In-Reply-To: <fure3j$vvq$2@relay.tomsk.ru>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Victor Sudakov wrote:
> Douglas E. Engert wrote:
>>> Is a Kerberos principal always a DNS name? Can't an IP literal be used?
>
>> I think they must be names, but don't have to be in DNS. The name could
>> be in /etc/hosts. The client and server must agree on the name of the
>> server, and the KDC has to have a service principal for the server.
>
>> IPs don't tend to work, and the IP number of the service changes,
>> with DHCP for example, each service would have to have a keytab
>> with the old and new IP numbers, which is not practical, and could
>> have some security issues.
>
> I thought that sometimes it would be convenient to have a principal
> like host/[10.1.1.1]@MY.REALM to be able to ssh into 10.1.1.1 without
> giving it a name. This is not possible, is it?
Don't know, I have not tried it, and don't want to try it either.
There are to many pit falls, like:
o DHCP changing addresses;
o Hosts with multiple addresses;
o IPv6;
o Code that may treat a string as an IP number or as name and parses it as
10 as the simple host name, and 1.1.1 is the rest. What do you put in the
krb5.conf [domain_realm] section?
The use of host names was chosen for Kerberos because names are at a level
above the IP number and don't change as often. Names are readable and
can impart some information to the user that they are connecting to the
correct host.
>
>
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
