ssh to IP literal
Nicolas Williams
Nicolas.Williams at oracle.com
Mon Dec 13 13:14:40 EST 2010
On Mon, Dec 13, 2010 at 01:03:17PM -0500, Greg Hudson wrote:
> On Mon, 2010-12-13 at 00:34 -0500, Russ Allbery wrote:
> > Well, it poses a problem for domain to realm mappings, as you've seen.
>
> What Russ says is true, but on top of that, the Kerberos library also
> needs to know what service ticket to ask for. It's likely that the
> client tried to get tickets for host/10.14.134.5 at defaultrealm before
> falling back to guessing 14.134.5 as the realm.
>
> The proximal issue is that you need a reverse DNS entry for 10.14.134.5.
> (Reliance on DNS for this purpose is a long-standing security issue, but
> we still do it.)
When an app resolves a user-given IP address to a name which is then
used for authentication purposes, the app should prompt the user as to
whether the name is the one the user had intended. Most non-browser
apps don't really do that.
Nico
--
More information about the Kerberos
mailing list