Kerberos and IP aliases

Russ Allbery rra at stanford.edu
Wed Sep 5 15:30:57 EDT 2007


Miguel Sanders <miguelsanders at telenet.be> writes:

> I was just wondering how Kerberos reacts to IP aliases (virtual IP
> addresses).  Do you have to create a host principal for the virtual
> hostname aswell?

Generally, yes.

Kerberos itself doesn't know anything about such things and just
authenticates whatever principal the client uses using its keys.  However,
the client has to know what the server identity is in order to
authenticate.  While it's possible to make the user explicitly specify an
identity, that's unusual and in practice the client usually guesses based
on the hostname.

In some cases the client will just use whatever hostname is given on the
command line, but in many cases it will do a forward and reverse DNS
lookup to canonicalize the hostname (although this is less secure if you
can't trust DNS, and most people can't).  So in practice the server needs
to have a key for all identities that might result from either of those
approaches.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>



More information about the Kerberos mailing list