[32366] in Kerberos
Re: bug: krb5_get_host_realm() no longer uses DNS
daemon@ATHENA.MIT.EDU (Nicolas Williams)
Mon May 17 19:50:17 2010
Date: Mon, 17 May 2010 18:49:10 -0500
From: Nicolas Williams <Nicolas.Williams@oracle.com>
To: Greg Hudson <ghudson@mit.edu>
Message-ID: <20100517234910.GI9429@oracle.com>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <1274135928.2419.249.camel@ray>
Cc: "kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Mon, May 17, 2010 at 06:38:48PM -0400, Greg Hudson wrote:
> On Mon, 2010-05-17 at 18:21 -0400, Nicolas Williams wrote:
> > Method #1: Use gss_compare_name() to compare a name obtained by calling
> > gss_import_name() on "host@<hostname>" to the acceptor name
> > returned by gss_inquire_context().
>
> One of the reasons not to specify a desired name in an acceptor is that
> you don't know the hostname used by the client (because of aliases).
> Neither method #1 nor method #2 will work if you don't have a <hostname>
> value. You really just want to verify the "host" part.
True, but you can just iterate over all the known canonical hostnames of
the host. (This feature is usually desired for virtualization reasons.)
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
