Different Services, Different Realms, but One Host
Ken Raeburn
raeburn at MIT.EDU
Tue Mar 9 12:31:30 EST 2004
On Tuesday, Mar 9, 2004, at 12:08 US/Eastern, Sam Hartman wrote:
>>>>>> "ms419" == ms419 <ms419 at freezone.co.uk> writes:
> ms419> Pardon this newbish question, but here's the setup: I want
> ms419> to distribute the keys for one host among two
> ms419> realms. Basically, I've got a sensitive service running on
> ms419> a couple of hosts, and a less secure service running on the
> ms419> same hosts. I want to store the keys for the sensitive
> ms419> service in one realm, and the keys for the others in
> ms419> another. Any problems with these premises?
>
> Yes. Current Kerberos implementations assume a host belongs to one
> realm. You'll find it difficult to actually do this.
Note that this is an implementation issue; the Kerberos protocol
specification itself says that a service may be registered in multiple
realms. But there are also specifications which assume that the realm
name -- or *a* realm name, I guess -- can be determined from the
service name and host name through unspecified means. As far as I
know, current implementations do that determination using the host name
only.
> I recommend having one KDC which is more secure than your most
> sensitive service.
This is probably best, if it can be arranged.
Ken
More information about the Kerberos
mailing list