Is a Kerberos principal always a DNS name?
Douglas E. Engert
deengert at anl.gov
Fri Apr 25 10:29:18 EDT 2008
Victor Sudakov wrote:
> Douglas E. Engert wrote:
>>> Is a Kerberos principal always a DNS name? Can't an IP literal be used?
>> I think they must be names, but don't have to be in DNS. The name could
>> be in /etc/hosts. The client and server must agree on the name of the
>> server, and the KDC has to have a service principal for the server.
>> IPs don't tend to work, and the IP number of the service changes,
>> with DHCP for example, each service would have to have a keytab
>> with the old and new IP numbers, which is not practical, and could
>> have some security issues.
> I thought that sometimes it would be convenient to have a principal
> like host/[10.1.1.1]@MY.REALM to be able to ssh into 10.1.1.1 without
> giving it a name. This is not possible, is it?
Don't know, I have not tried it, and don't want to try it either.
There are to many pit falls, like:
o DHCP changing addresses;
o Hosts with multiple addresses;
o Code that may treat a string as an IP number or as name and parses it as
10 as the simple host name, and 1.1.1 is the rest. What do you put in the
krb5.conf [domain_realm] section?
The use of host names was chosen for Kerberos because names are at a level
above the IP number and don't change as often. Names are readable and
can impart some information to the user that they are connecting to the
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
More information about the Kerberos