/etc/hosts and DNS
Luke
clairst at uiuc.edu
Thu Feb 17 13:06:32 EST 2005
On 2005-02-17, Fredrik Tolf <fredrik at dolda2000.com> wrote:
> On Thu, 2005-02-17 at 02:07 +0000, Luke wrote:
>> On 2005-02-14, Luke <clairst at uiuc.edu> wrote:
> I've been thinking about this as well -- I'm running Kerberos and IPv6
> at home, and a friend of mine is planning on using it as well, but since
> we have no control over the reverse mappings, and he also has a dynamic
> IP, we're in trouble.
>
> My initial thoughts on how to solve it would be to write a new nsswitch
> module for (g)libc that we plug into nsswitch as a host module. It would
> then try to do reverse lookups by trying to contact the remote host and
> simply ask it what it wants to be called. That, of course, requires a
> protocol to do so, but I was planning on simply hooking up hostname -f
> into xinetd.
Ugh.
Seems like clients should either be able to specify which host principal
they want to connect to, disable reverse dns lookups in Kerberos, or have a
default principal for certain services, perhaps in app_defaults in
krb5.conf.
The first soln would be kind of a pain, since it would mean every kerberized
client would have to support this
Second solution would be nice, and I'd be willing to deal with the
additional security implications. This would be so convenient, in fact,
that i'm not totatlly convinced that it doesn't exist.
Third soln would probably be best, if more kerberized services supported it.
However, i'm not sure any of the three is possible, out of the box, with MIT
or Heimdal right now, though I need to look into it more.
More information about the Kerberos
mailing list