Is a Kerberos principal always a DNS name?

Douglas E. Engert deengert at
Fri Apr 25 10:29:18 EDT 2008

Victor Sudakov wrote:
> Douglas E. Engert wrote:
>>> Is a Kerberos principal always a DNS name? Can't an IP literal be used?
>> I think they must be names, but don't have to be in DNS. The name could
>> be in /etc/hosts. The client and server must agree on the name of the
>> server, and the KDC has to have a service principal for the server.
>> IPs don't tend to work, and the IP number of the service changes,
>> with DHCP for example, each service would have to have a keytab
>> with the old and new IP numbers, which is not practical, and could
>> have some security issues.
> I thought that sometimes it would be convenient to have a principal
> like host/[]@MY.REALM to be able to ssh into without
> giving it a name. This is not possible, is it?

Don't know, I have not tried it, and don't want to try it either.
There are to many pit falls, like:

  o DHCP changing addresses;

  o Hosts with multiple addresses;

  o IPv6;

  o Code that may treat a string as an IP number or as name and parses it as
    10 as the simple host name, and 1.1.1 is the rest. What do you put in the
    krb5.conf [domain_realm] section?

The use of host names was chosen for Kerberos because names are at a level
above the IP number and don't change as often. Names are readable and
can impart some information to the user that they are connecting to the
correct host.



  Douglas E. Engert  <DEEngert at>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the Kerberos mailing list