Is a Kerberos principal always a DNS name?

Victor Sudakov vas at
Thu Apr 24 22:07:32 EDT 2008

Booker Bense wrote:
> >
> >Is a Kerberos principal always a DNS name? Can't an IP literal be used?
> >

> It's whatever both sides of the connection argee that it should
> be BEFORE the connection is made. DNS names are used by default 
> since that makes an easy out of band way to get both sides to agree. 

> You can use IP addrs if you can wrangle both client and server
> software into using them. I'm not aware of any standard clients
> that will support that kind of usage though. 

If we take for example an sshd server on a typical Unix host, how does
it figure out its own principal name? Suppose it has keys for
multiple principals in the keytab, which one would it choose?

Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
2:5005/49 at fidonet

More information about the Kerberos mailing list