openssh/mit kerberos and numeric host address

=?gb2312?B?zfW9ow==?= larkwang at outlook.com
Thu Apr 4 23:01:15 EDT 2013


> Date: Thu, 4 Apr 2013 14:24:34 -0400
> From: kaduk at MIT.EDU
> To: larkwang at outlook.com
> CC: kerberos at MIT.EDU
> Subject: RE: openssh/mit kerberos and numeric host address
>
> On Thu, 4 Apr 2013, Íõ½£ wrote:
>
> >
> > To make sure I don't miss any necessary patch, I git-buildpackage from your modified
> > debian-krb5 repository and test again.
> >
> > The kdc I setup is used as both client and server, using
> >
> > $ ssh -vvv root at 192.168.0.254
> >
> > RESULTS:
> >
> > Patched glibc package + official kerberos package = no go
> > Official glibc package + patched kerberos package = no go
> >
> > Have you test your package in debian testing latest? My test setup is very simple and it's
> > easy to reproduce.
>
> My testing was only in wheezy.
> The small, easy test for me to do is 'kvno -S host
> ptr-mismatch.kerberos.org', which is improved by my patch. I have not
> tested sshing to a numeric host address nor on debian testing, though
> given your experiences I probably should.
>
> Thanks for the clarification.
>
I think the big difference is I want to use IP address directly, and this is a rather reasonable
demand when you manage a large cluster and don't want to rely DNS heavily.

In the company I worked before, we setup DNS forward and reverse RR, and prepare DNS servers
in different IDCs in case that intranet split keep us from login even we have backup links.
That DNS setup is a huge burden for us.

BTW, why no IP address prefix to realm mapping for mit kerberos? 		 	   		  



More information about the Kerberos mailing list