Kerberos authentication without reverse lookup
Roland Dowdeswell
elric at imrryr.org
Tue Jan 18 18:45:58 EST 2005
On 1106079270 seconds since the Beginning of the UNIX epoch
Fredrik Tolf wrote:
>
>I came up with a fairly simple solution that would be to add, to inetd
>on each host, a simple program that just echoes to the connecting host
>what that host's perception of its own FQDN is. Then I'd write a simple
>nsswitch module for gethostbyaddr (possibly with some kind of config
>file so that it never tries for hosts that aren't supposed to be part of
>this) that connects to this service on the address that it is supposed
>to canonicalize.
You could always do what Heimdal does which is use ai->ai_canonname
rather than performing a reverse lookup. Unfortunately, this strategy
is not followed by 3rd party vendors such as OpenSSH.
You stated in a prior e-mail that you were using IPv6. In this
case there is no need to write an inetd service, it would be better
to just use ICMP6 a la ``ping -w host''---at least with IPv6 asking
a host for its name is an implemented standard.
--
Roland Dowdeswell http://www.Imrryr.ORG/~elric/
More information about the Kerberos
mailing list