Different Services, Different Realms, but One Host
ms419@freezone.co.uk
ms419 at freezone.co.uk
Tue Mar 9 03:39:19 EST 2004
Pardon this newbish question, but here's the setup: I want to
distribute the keys for one host among two realms. Basically, I've got
a sensitive service running on a couple of hosts, and a less secure
service running on the same hosts. I want to store the keys for the
sensitive service in one realm, and the keys for the others in another.
Any problems with these premises?
So, I know Kerberos picks the realm in which to find a key based on the
hostname - the mapping is based on the hostname. I also know Kerberos
uses a host's FQDN - reverse lookup on IP, so if my host has only one
IP, it has only one FQDN. I hoped maybe Kerberos grabbed a key using
the FQDN, but picked the realm using the hostname in the request. So I
created an alias "blue.tint". My server's FQDN is "blue.shade". I hoped
connecting to "blue.shade" would use the key "snstv/blue.shade at SHADE",
while connecting to "blue.tint" would use the key
"inscr/blue.shade at TINT". It doesn't work this way. Wisely, I guess. But
why can't I specify a mapping to realm using all of the sought
principal? snstv/* -> SHADE, inscr/* -> TINT?
So my question is, short of giving a host two IP addresses, can I get
it using keys from two different realms? Or is this just silly?
Thanks!
Jack
More information about the Kerberos
mailing list