krb5_sname_to_principal or LDAP/SASL/GSSAPI and reverse DNS

Nicolas Williams Nicolas.Williams at
Tue Apr 8 18:12:25 EDT 2003

On Tue, Apr 08, 2003 at 05:22:52PM -0400, Sam Hartman wrote:
> Generic keys are insecure because of replay cache issues.

Clusters should be able to share their replace caches.  PFS in
extensions will kinda solve this problem... :)

The location of the replay caches may have to be configurable on a
per-princ name basis though so that clustered rcaches can be located on
shared filesystems, or perhaps a clustered rcache provider could be

> Command line options are not really acceptable because there is no way
> to pass that information through GSSAPI or SASL.


> A config file option is not really very good because it is a property
> of the server what you need to do, not a property of your client.

If you have DNSSEC then sure, krb5_sname_to_principal() can canonicalize
via reverse name resolution.



More information about the krbdev mailing list