openssh/mit kerberos and numeric host address

[=?gb2312?B?zfW9ow==?=]

> Date: Sun, 7 Apr 2013 02:27:32 -0400
> From: ghudson at MIT.EDU
> To: larkwang at outlook.com
> CC: kerberos at mit.edu
> Subject: Re: openssh/mit kerberos and numeric host address
>
> On 04/06/2013 02:50 AM, Íõ½£ wrote:
> > - retval = krb5int_clean_hostname(context, host, local_host, sizeof local_host);
> > - if (retval)
> > - return retval;
> > + krb5int_clean_hostname(context, host, local_host, sizeof local_host);
>
> Looking at the history of this code, the intent since krb5 1.3 has been
> to forbid IP-address hostname components in host-based service
> principals. It happens that in krb5 1.6, we factored out the
> numeric-address check and then neglected to check for errors when
> calling the helper function. But in krb5 1.3-1.5 and 1.7+, we return an
> error.
>
> KfW 3.2 was based on krb5 1.6. OSX 10.6 may also use krb5 1.6 (I
> believe the switch to Heimdal was in OSX 10.7).
>
> All that said, I'm not sure why we should have this check. If an
> environment (such as yours) really wants to use numeric addresses in
> service principals, I don't see why we should get in the way. I'll
> bring it up at our next team meeting and consider removing it. I don't
> think we'll go as far as creating an IP address prefix to realm mapping,
> though.
>

IP prefix to realm mapping is only useful when using IP addresses to login to
multiple realms, and this scenario is rare so not a big deal. In my case, I have
my own realm for my home servers and gadgets (gateway, media player, etc).

Thanks and looking forward to your followup on this one.