Kerberos authentication without reverse lookup
Fredrik Tolf
fredrik at dolda2000.com
Sun Jan 16 22:40:59 EST 2005
Hi!
I've been using Kerberos on my home network for a year or so now with
great success. A friend of mine is looking to deploy Kerberos on his
home network as well, and when he does this, we think it would be very
nice to set up cross-realm authentication to be able to authenticate
against each others' services. We would be using IPv6 over a 6to4
bridge, so NAT wouldn't be a problem.
However, there is an obvious problem with this, since we won't be able
to perform reverse DNS lookups against each others' networks. Since, as
you all know, Kerberos relies on reverse lookups to canonicalize service
principal names, we're in quite a pinch about this.
I was thinking about adding local hints to our own reverse zones to our
Bind configs to make reverse lookups work just between our own networks,
but that will be extremely difficult at best, since he has a dynamic IP.
We can figure out how to update the forward zones when his IP changes,
but since updating the reverse zones involves creating an entire new
zone each time, that solution feels a bit hopeless... :-(
So, is there anyone who has experienced a similar situation before and
solved it? Is there, by any chance, another way of letting Kerberos
canonicalize service principal names?
Thank you for your time!
Fredrik Tolf
More information about the Kerberos
mailing list