krb5_sname_to_principal or LDAP/SASL/GSSAPI and reverse DNS

John Hascall john at
Tue Apr 8 16:46:42 EDT 2003

> The krb5 hostname handling is a real mess and I'm not really sure what
> to do to clean it up.
> You have the following incompatible use cases:
> 1) People who want reverse resolution to work so that clustering
>    works.  I.E. will return some A record that
>    you want to reverse resolve because it is some instance of
> 2) People who have broken reverse DNS and who just want a forward lookup.
> 3) People who want no hostname canonicalization at all because they
>     actually want security.
> Suggestions on how we can improve the mess greatly appreciated.

It seems to me that you can either:
  1) choose 1 of those, (either convincing or annoying everyone else),
  2) have a way to choose among them.
     a) config file option, or
     b) command line arg, or
     c) something else?

With #1 it seems to me that you can often workaround that by putting
the generic key on every machine in the cluster like this:

# klist -srvtab
Server key file:   /etc/srvtab
Service         Instance        Realm      Key Version
rcmd            asw-1           IASTATE.EDU     3
rcmd            asw             IASTATE.EDU     3

(excuse the V4-ness of my example :)

I would be interested in hearing more about #3 (how does
hostname canonicalization == no security?)


More information about the krbdev mailing list