hostname for services vs. IP address

Greg Hudson ghudson at MIT.EDU
Tue Aug 9 10:09:12 EDT 2011


On Tue, 2011-08-09 at 03:56 -0400, Chris Hecker wrote:
> Is service/129.168.1.5 a valid service principal?

Sure.  It's not a principal that krb5_sname_to_principal() will
generally return, but if you're creating principal names yourself,
there's nothing invalid about that form.

Of course, you'd have to make sure to key those hosts accordingly.  I'm
not sure what to recommend for you since I'm not sure what about the
servers, if anything, you want to authenticate to the client.  If the
client doesn't care very much what server it's talking to (as long as
it's within the realm at all) then there aren't a lot of constraints on
what the server principal should be.  They just need to be unique so
that hosts can't impersonate clients to each other, and something the
client can figure out or be informed of.





More information about the Kerberos mailing list