bug: krb5_get_host_realm() no longer uses DNS

Nicolas Williams Nicolas.Williams at oracle.com
Mon May 17 19:49:10 EDT 2010


On Mon, May 17, 2010 at 06:38:48PM -0400, Greg Hudson wrote:
> On Mon, 2010-05-17 at 18:21 -0400, Nicolas Williams wrote:
> > Method #1: Use gss_compare_name() to compare a name obtained by calling
> >            gss_import_name() on "host@<hostname>" to the acceptor name
> > 	   returned by gss_inquire_context().
> 
> One of the reasons not to specify a desired name in an acceptor is that
> you don't know the hostname used by the client (because of aliases).
> Neither method #1 nor method #2 will work if you don't have a <hostname>
> value.  You really just want to verify the "host" part.

True, but you can just iterate over all the known canonical hostnames of
the host.  (This feature is usually desired for virtualization reasons.)



More information about the Kerberos mailing list