krb5_sname_to_principal or LDAP/SASL/GSSAPI and reverse DNS

Nathan Neulinger nneul at umr.edu
Tue Apr 8 17:01:46 EDT 2003 

One approach, that I haven't had a chance to try yet:

Primary address for each cluster machine
Cluster name, plus virtual interface cluster address for each machine

Reverse for the primary points to itself
Reverse for the virtual addresses in the cluster point at the cluster
name.

Put the key for both the cluster name and the primary machine name on
each machine.

I don't know if this will work or not.

-- Nathan

On Tue, 2003-04-08 at 15:46, John Hascall wrote:
> > The krb5 hostname handling is a real mess and I'm not really sure what
> > to do to clean it up.
> > 
> > You have the following incompatible use cases:
> > 
> > 1) People who want reverse resolution to work so that clustering
> >    works.  I.E. dialup.university.edu will return some A record that
> >    you want to reverse resolve because it is some instance of
> >    dialup.university.edu.
> > 
> > 
> > 2) People who have broken reverse DNS and who just want a forward lookup.
> > 
> > 3) People who want no hostname canonicalization at all because they
> >     actually want security.
> > 
> > Suggestions on how we can improve the mess greatly appreciated.
> 
> It seems to me that you can either:
>   1) choose 1 of those, (either convincing or annoying everyone else),
>   2) have a way to choose among them.
>      a) config file option, or
>      b) command line arg, or
>      c) something else?
> 
> With #1 it seems to me that you can often workaround that by putting
> the generic key on every machine in the cluster like this:
> 
> # klist -srvtab
> Server key file:   /etc/srvtab
> Service         Instance        Realm      Key Version
> ------------------------------------------------------
> rcmd            asw-1           IASTATE.EDU     3
> rcmd            asw             IASTATE.EDU     3
> 
> (excuse the V4-ness of my example :)
> 
> I would be interested in hearing more about #3 (how does
> hostname canonicalization == no security?)
> 
> 
> John
> 
> _______________________________________________
> krbdev mailing list             krbdev at mit.edu
> https://mailman.mit.edu/mailman/listinfo/krbdev
-- 

------------------------------------------------------------
Nathan Neulinger                       EMail:  nneul at umr.edu
University of Missouri - Rolla         Phone: (573) 341-4841
Computing Services                       Fax: (573) 341-4216

More information about the krbdev mailing list