Is a Kerberos principal always a DNS name?

Victor Sudakov vas at
Thu Apr 24 22:02:27 EDT 2008

Douglas E. Engert wrote:
> > 
> > Is a Kerberos principal always a DNS name? Can't an IP literal be used?

> I think they must be names, but don't have to be in DNS. The name could
> be in /etc/hosts. The client and server must agree on the name of the
> server, and the KDC has to have a service principal for the server.

> IPs don't tend to work, and the IP number of the service changes,
> with DHCP for example, each service would have to have a keytab
> with the old and new IP numbers, which is not practical, and could
> have some security issues.

I thought that sometimes it would be convenient to have a principal
like host/[]@MY.REALM to be able to ssh into without
giving it a name. This is not possible, is it?

Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
2:5005/49 at fidonet

More information about the Kerberos mailing list