Common keytab file for all the application servers - Is itpossible???
Markus Moeller
huaraz at moeller.plus.com
Mon Jan 2 09:43:28 EST 2006
This type of setup won't work. You have to differentiate between what is
possible with Kerberos/GSSAPI and how are existing applications (e.g.
telnet,ftp,HTTP) using it. With telnet,ftp,HTTP you are bound to DNS
resolutions (A record and reverse, hosts files are possible but painful). If
you write your own Kerberos/GSSAPI applications you can define it yourself
and can do it independant of DNS.
Regards
Markus
<sandypossible at gmail.com> wrote in message
news:1136208949.823674.122820 at g44g2000cwa.googlegroups.com...
> Hi,
>
> If I go for the same keytab knowing that there is compromise of
> security, I have some questions.
>
> Assuming that I have a windows 2003 KDC. I have two linux machines. I
> will add a user account and generate a keytab file using ktpass. Please
> note that the ktpass tool requires us to specify host/<fqdn>. I will
> now copy the same keytab file to both these linux machines. Now from
> another windows XP I will try to connect to one linux machine using
> telnet. My question is how will the windows XP machine connect to the
> correct linux machine ? How will the identification of the correct
> telnet server happen if both linux machines are running telnet daemon?
>
>
> - Sandy.
>
More information about the Kerberos
mailing list