krb5_sname_to_principal or LDAP/SASL/GSSAPI and reverse DNS
John Hascall
john at iastate.edu
Tue Apr 8 16:46:42 EDT 2003
> The krb5 hostname handling is a real mess and I'm not really sure what
> to do to clean it up.
>
> You have the following incompatible use cases:
>
> 1) People who want reverse resolution to work so that clustering
> works. I.E. dialup.university.edu will return some A record that
> you want to reverse resolve because it is some instance of
> dialup.university.edu.
>
>
> 2) People who have broken reverse DNS and who just want a forward lookup.
>
> 3) People who want no hostname canonicalization at all because they
> actually want security.
>
> Suggestions on how we can improve the mess greatly appreciated.
It seems to me that you can either:
1) choose 1 of those, (either convincing or annoying everyone else),
2) have a way to choose among them.
a) config file option, or
b) command line arg, or
c) something else?
With #1 it seems to me that you can often workaround that by putting
the generic key on every machine in the cluster like this:
# klist -srvtab
Server key file: /etc/srvtab
Service Instance Realm Key Version
------------------------------------------------------
rcmd asw-1 IASTATE.EDU 3
rcmd asw IASTATE.EDU 3
(excuse the V4-ness of my example :)
I would be interested in hearing more about #3 (how does
hostname canonicalization == no security?)
John
More information about the krbdev
mailing list