ssh to IP literal

Nicolas Williams Nicolas.Williams at oracle.com
Mon Dec 13 13:14:40 EST 2010


On Mon, Dec 13, 2010 at 01:03:17PM -0500, Greg Hudson wrote:
> On Mon, 2010-12-13 at 00:34 -0500, Russ Allbery wrote:
> > Well, it poses a problem for domain to realm mappings, as you've seen.
> 
> What Russ says is true, but on top of that, the Kerberos library also
> needs to know what service ticket to ask for.  It's likely that the
> client tried to get tickets for host/10.14.134.5 at defaultrealm before
> falling back to guessing 14.134.5 as the realm.
> 
> The proximal issue is that you need a reverse DNS entry for 10.14.134.5.
> (Reliance on DNS for this purpose is a long-standing security issue, but
> we still do it.)

When an app resolves a user-given IP address to a name which is then
used for authentication purposes, the app should prompt the user as to
whether the name is the one the user had intended.  Most non-browser
apps don't really do that.

Nico
-- 



More information about the Kerberos mailing list