[29765] in Kerberos
Re: Is a Kerberos principal always a DNS name?
daemon@ATHENA.MIT.EDU (Booker Bense)
Fri Apr 25 13:17:20 2008
From: bbense@slac.stanford.edu (Booker Bense)
Date: Fri, 25 Apr 2008 17:08:14 +0000 (UTC)
Message-ID: <fut35u$53l$3@news.Stanford.EDU>
X-Complaints-To: news@news.stanford.edu
To: kerberos@mit.edu
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
In article <fure3j$vvq$2@relay.tomsk.ru>,
Victor Sudakov <vas@mpeks.no-spam-here.tomsk.su> wrote:
>Douglas E. Engert wrote:
>> >
>> > Is a Kerberos principal always a DNS name? Can't an IP literal be used?
>
>> I think they must be names, but don't have to be in DNS. The name could
>> be in /etc/hosts. The client and server must agree on the name of the
>> server, and the KDC has to have a service principal for the server.
>
>> IPs don't tend to work, and the IP number of the service changes,
>> with DHCP for example, each service would have to have a keytab
>> with the old and new IP numbers, which is not practical, and could
>> have some security issues.
>
>I thought that sometimes it would be convenient to have a principal
>like host/[10.1.1.1]@MY.REALM to be able to ssh into 10.1.1.1 without
>giving it a name. This is not possible, is it?
>
It's just a simple[1] matter of coding... Out of the box I don't
think it's possible. RSA keys make a lot more sense in that
scenerio, IMHO.
_ Booker C. Bense
[1]_ For excedingly high values of simple...
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
