RFC: Turning off reverse hostname resolution by default in 1.10

Nico Williams nico at cryptonector.com
Wed Jul 6 14:24:59 EDT 2011


On Wed, Jul 6, 2011 at 1:01 PM, Ken Hornstein <kenh at cmf.nrl.navy.mil> wrote:
> The answers:
>
> - Multihomed hosts (we want to connect to a particular interface, but
>  we want to use one canonical name, because adding a new keytab for a
>  new interface is more of a pain than simply changing the reverse DNS).
>  This also comes into issue when you're doing cross-domain multihoming
>  where the host is in another domain (and other Kerberos realm), and
>  yes, we do that too (but thankfully not that often).

This can be handled by principal name aliasing on the KDC (which
Heimdal supports).  You still need the additional keytab entries (but
not additional actual principals) OR Heimdal's
try-all-keys-with-same-enctype/kvno/realm approach when a key cannot
be found by matching on principal name.

> - Hostname masquerading, where the host has a CNAME pointing to the
>  "real" name, but for various reasons we want the name used by Kerberos
>  to be the CNAME.

Same answer, I think.

Nico
--




More information about the Kerberos mailing list