Is a Kerberos principal always a DNS name?
Booker Bense
bbense at slac.stanford.edu
Fri Apr 25 12:59:27 EDT 2008
In article <fured4$vvq$3 at relay.tomsk.ru>,
Victor Sudakov <vas at mpeks.no-spam-here.tomsk.su> wrote:
>Booker Bense wrote:
>> >
>> >Is a Kerberos principal always a DNS name? Can't an IP literal be used?
>> >
>
>> It's whatever both sides of the connection argee that it should
>> be BEFORE the connection is made. DNS names are used by default
>> since that makes an easy out of band way to get both sides to agree.
>
>> You can use IP addrs if you can wrangle both client and server
>> software into using them. I'm not aware of any standard clients
>> that will support that kind of usage though.
>
>If we take for example an sshd server on a typical Unix host, how does
>it figure out its own principal name? Suppose it has keys for
>multiple principals in the keytab, which one would it choose?
>
Whatever it's configured to choose. The default is
host/dns.expansion.for.ip.of.host at REALM
This can get quite complicated if you have multiple interfaces
with different DNS names. Both the server and the client have
to make a priori decisions about the principal the service uses.
Choosing that principal is entirely up to the software.
_ Booker C. Bense
More information about the Kerberos
mailing list