Is a Kerberos principal always a DNS name?

Victor Sudakov vas at mpeks.no-spam-here.tomsk.su
Thu Apr 24 22:02:27 EDT 2008


Douglas E. Engert wrote:
> > 
> > Is a Kerberos principal always a DNS name? Can't an IP literal be used?

> I think they must be names, but don't have to be in DNS. The name could
> be in /etc/hosts. The client and server must agree on the name of the
> server, and the KDC has to have a service principal for the server.

> IPs don't tend to work, and the IP number of the service changes,
> with DHCP for example, each service would have to have a keytab
> with the old and new IP numbers, which is not practical, and could
> have some security issues.

I thought that sometimes it would be convenient to have a principal
like host/[10.1.1.1]@MY.REALM to be able to ssh into 10.1.1.1 without
giving it a name. This is not possible, is it?


-- 
Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
2:5005/49 at fidonet http://vas.tomsk.ru/



More information about the Kerberos mailing list