Is a Kerberos principal always a DNS name?

Booker Bense bbense at
Fri Apr 25 12:59:27 EDT 2008

In article <fured4$vvq$3 at>,
Victor Sudakov  <vas at> wrote:
>Booker Bense wrote:
>> >
>> >Is a Kerberos principal always a DNS name? Can't an IP literal be used?
>> >
>> It's whatever both sides of the connection argee that it should
>> be BEFORE the connection is made. DNS names are used by default 
>> since that makes an easy out of band way to get both sides to agree. 
>> You can use IP addrs if you can wrangle both client and server
>> software into using them. I'm not aware of any standard clients
>> that will support that kind of usage though. 
>If we take for example an sshd server on a typical Unix host, how does
>it figure out its own principal name? Suppose it has keys for
>multiple principals in the keytab, which one would it choose?

Whatever it's configured to choose. The default is 

host/ at REALM

This can get quite complicated if you have multiple interfaces
with different DNS names. Both the server and the client have
to make a priori decisions about the principal the service uses.
Choosing that principal is entirely up to the software.  

_ Booker C. Bense 

More information about the Kerberos mailing list