FQDN needed by sasl_gss_client_step or gss_import_name?
Nicolas Williams
Nicolas.Williams at ubsw.com
Fri May 17 13:13:05 EDT 2002
On Thu, May 16, 2002 at 08:19:14PM -0500, Jacques A. Vidrine wrote:
> On Thu, May 16, 2002 at 09:04:00PM -0400, Lawrence Greenfield wrote:
> > Hopefully the Kerberos clarifications in the krb-wg will address this
> > issue and MIT will change their implementation..
>
> Change it how?
At the interim KRB-WG meeting there was a discussion about this.
Here's some possibilities, tell me which you prefer :)
- don't canonicalize, expect the user to know the canonical name
- secure DNS (yeah...)
- don't canonicalize, spontaneously alias principals at the KDC
That last one means that when I use a non-fully-qualified hostname or an
alias of a hostname as a or part of a service principal name, then the
KDC will issue the requested ticket IFF the KDC can determine that the
requested name is indeed an alias of some other SPN. The application too
must know its aliases or try its keys for all SPNs by which a client
references it.
IIRC MS does just that.
That is what I propose MIT, Heimdal et. al. do.
More information about the Kerberos
mailing list