openssh/mit kerberos and numeric host address

=?gb2312?B?zfW9ow==?= larkwang at outlook.com
Sun Apr 7 23:21:45 EDT 2013


> Date: Sun, 7 Apr 2013 02:27:32 -0400
> From: ghudson at MIT.EDU
> To: larkwang at outlook.com
> CC: kerberos at mit.edu
> Subject: Re: openssh/mit kerberos and numeric host address
>
> On 04/06/2013 02:50 AM, Íõ½£ wrote:
> > - retval = krb5int_clean_hostname(context, host, local_host, sizeof local_host);
> > - if (retval)
> > - return retval;
> > + krb5int_clean_hostname(context, host, local_host, sizeof local_host);
>
> Looking at the history of this code, the intent since krb5 1.3 has been
> to forbid IP-address hostname components in host-based service
> principals. It happens that in krb5 1.6, we factored out the
> numeric-address check and then neglected to check for errors when
> calling the helper function. But in krb5 1.3-1.5 and 1.7+, we return an
> error.
>
> KfW 3.2 was based on krb5 1.6. OSX 10.6 may also use krb5 1.6 (I
> believe the switch to Heimdal was in OSX 10.7).
>
> All that said, I'm not sure why we should have this check. If an
> environment (such as yours) really wants to use numeric addresses in
> service principals, I don't see why we should get in the way. I'll
> bring it up at our next team meeting and consider removing it. I don't
> think we'll go as far as creating an IP address prefix to realm mapping,
> though.
>

IP prefix to realm mapping is only useful when using IP addresses to login to
multiple realms, and this scenario is rare so not a big deal. In my case, I have
my own realm for my home servers and gadgets (gateway, media player, etc).

Thanks and looking forward to your followup on this one. 		 	   		  



More information about the Kerberos mailing list