[982] in Kerberos_V5_Development
krb5_sname_to_princ interface for addresses
daemon@ATHENA.MIT.EDU (Sam Hartman)
Mon Jan 29 16:59:40 1996
Date: Mon, 29 Jan 1996 16:59:25 -0500
From: Sam Hartman <hartmans@MIT.EDU>
To: krbdev@MIT.EDU
I believe I have discussed this prveiously, but we need an
interface to krb5_sname_to_princ that takes (or derives) an address
instead of a hostname. Basically, the current interface has problems
when multiple A records are associated with a single name. The
problem can be noticed with athena.dialup, although the dialup
nameservers are somewhat more complicated than simply multiple A
records.
The problem is that two hostname resolution calls are made on
the name, one to get the IP address to connect to, and one to
cannonicalize the name for the service ticket. The problems is that
with modern (round-robbin) nameds, these two calls tend to give
different results; you are likely to connect to vongole and get
tickets for some other dialup.
What I propose as a partial solution is having a version of
sname_to_princ that will take the IP address you have connected to,
cannonicalize that, and return the service principal. This will not
be a full soltuion because people can potentially have multiple PTR
records for the same IP address, but this breaks much more than
multiple A records.
I propose that the new routine take a context, auth context,
service name, and service time, return an error code and output a
principal. The reason I propose to take an auth_context instead of
just an address is that it's a lot easier to establish addresses in an
authcontext than it is to establish a krb5_address from a getpiername
call.
--Sam
