Use of FQDN in key (Was: Solaris 10)
Douglas E. Engert
deengert at anl.gov
Tue Jan 10 11:50:31 EST 2006
Turbo Fredriksson wrote:
> Quoting "Douglas E. Engert" <deengert at anl.gov>:
>
>
>>The kadmin/icarus at PHUSNIKN.NET should be kadmin/icarus.phusnikn.net at PHUSNIKN.NET
>>i.e. host names in Kerberos are always FQDN.
>
>
> Just for completeness, my extream curiosity etc. Why EXACTLY is that. If the
> DNS works perfectly (both forward and reverse), then it should be possible to
> NOT have the FQDN... ?
DNS is not secure, so you need to have the client, server and KDC agree on a
convention on what represents a service principal. The <service>/<FQDN>@<REALM>
is the common convention used.
The kadmin service expects FQDNs.
> And why not use IP's (other than if the IP change, the
> key is invalid)?
You could, but that is not the usual convention. The use of the FQDN also
allows a user to specify the name which is somewhat representative of
a service, where as an IP is not. For example one should look close at
a URL to see that it is using some FQDN that is somehow associated with the
site. I don't trust URLs with IP numbers. The same goes for Kerberos principals.
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the Kerberos
mailing list