ssh to IP literal
Russ Allbery
rra at stanford.edu
Sun Dec 19 14:36:25 EST 2010
Victor Sudakov <vas at mpeks.no-spam-here.tomsk.su> writes:
> Russ Allbery wrote:
>> If you add an explicit domain_realm mapping for each IP address to the
>> [domain_realm] section of your krb5.conf file, it will probably work, but
>> it's generally a much better idea to use real host names (possibly in some
>> private domain ending in .local or some similar marker).
> I see. Do I need a real DNS or perhaps /etc/hosts will do? I share
> /etc/hosts as a NIS map.
/etc/hosts should be fine.
> And another question. If a Kerberos-enabled server has several
> principals in its keytab, how exactly does it decide which one to
> use?
It uses whatever one the client uses, in general. There are some services
that limit what principals they'll accept to only that one principal that
matches what the service thinks is the local hostname, but given how many
problems this causes, an increasing number of services will accept any
principal found in the system keytab.
--
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the Kerberos
mailing list