Possible to use only IP addresses in MIT Kerberos (ie: disable DNS name resolution)?
Fredrik Tolf
fredrik at dolda2000.com
Sun Nov 27 15:58:23 EST 2005
On Wed, 2005-11-23 at 09:43 -0800, rchowneltura at hotmail.com wrote:
> Hi, I am investigating kerberizing of our application using
> MIT Kerberos5. Due to the nature of our application,
> we cannot use DNS and must use host IP addresses
> instead of hostnames during authentication.
I believe that host names are required for Kerberos operation, since
they are used in the service principal names.
However, host names aren't necessarily transferred over DNS. I also have
this problem when using services over IPv6, and to help out, I
implemented the FQDN over ICMP service for Linux. If you, too, are using
Linux, you can use the program:
<http://www.dolda2000.com/~fredrik/icmp-dn/>
FQDN over ICMP is specified in RFC 1788 -- it's just that neither the
Linux kernel nor any standard glibc NSS module implements it. Meaning:
It's not just some homebrew protocol of mine, but an open standard. I
don't think Windows supports it, but I'm fairly sure that it would work
when talking to *BSD machines.
Fredrik Tolf
More information about the Kerberos
mailing list