[3904] in Kerberos
Re: hierarchical realms
daemon@ATHENA.MIT.EDU (Mark W. Eichin)
Thu Sep 22 17:00:19 1994
Date: Thu, 22 Sep 1994 16:44:02 +0500
From: "Mark W. Eichin" <eichin@MIT.EDU>
To: Derek Atkins <warlord@MIT.EDU>
Cc: Tai Jin <tai@nsa.hp.com>, P-Pomes@uiuc.edu, kerberos@MIT.EDU
In-Reply-To: [3892]
It's been suggested in the past that the namespace is a good place for
this info (well, a better place might be the application server
itself; when you connect, find out what realm to use as part of the
protocol.) Simply add a new record for that name with a realm name
(not unlike the way Hesiod works.) It isn't any more prone to spoofing
than the address of the machine itself would be... the main issue is
that most people who set up kerberos don't have access to manipulate
the namespace too :-) Has anyone worked out details on that idea? It
would eliminate this config file problem entirely...
_Mark_
