Different Services, Different Realms, but One Host

ms419@freezone.co.uk ms419 at freezone.co.uk
Tue Mar 9 03:39:19 EST 2004


Pardon this newbish question, but here's the setup: I want to 
distribute the keys for one host among two realms. Basically, I've got 
a sensitive service running on a couple of hosts, and a less secure 
service running on the same hosts. I want to store the keys for the 
sensitive service in one realm, and the keys for the others in another. 
Any problems with these premises?

So, I know Kerberos picks the realm in which to find a key based on the 
hostname - the mapping is based on the hostname. I also know Kerberos 
uses a host's FQDN - reverse lookup on IP, so if my host has only one 
IP, it has only one FQDN. I hoped maybe Kerberos grabbed a key using 
the FQDN, but picked the realm using the hostname in the request. So I 
created an alias "blue.tint". My server's FQDN is "blue.shade". I hoped 
connecting to "blue.shade" would use the key "snstv/blue.shade at SHADE", 
while connecting to "blue.tint" would use the key 
"inscr/blue.shade at TINT". It doesn't work this way. Wisely, I guess. But 
why can't I specify a mapping to realm using all of the sought 
principal? snstv/* -> SHADE, inscr/* -> TINT?

So my question is, short of giving a host two IP addresses, can I get 
it using keys from two different realms? Or is this just silly?

Thanks!

Jack



More information about the Kerberos mailing list