krb5_sname_to_principal or LDAP/SASL/GSSAPI and reverse DNS
Nicolas Williams
Nicolas.Williams at sun.com
Tue Apr 8 18:12:25 EDT 2003
On Tue, Apr 08, 2003 at 05:22:52PM -0400, Sam Hartman wrote:
> Generic keys are insecure because of replay cache issues.
Clusters should be able to share their replace caches. PFS in
extensions will kinda solve this problem... :)
The location of the replay caches may have to be configurable on a
per-princ name basis though so that clustered rcaches can be located on
shared filesystems, or perhaps a clustered rcache provider could be
developed.
> Command line options are not really acceptable because there is no way
> to pass that information through GSSAPI or SASL.
Right.
> A config file option is not really very good because it is a property
> of the server what you need to do, not a property of your client.
If you have DNSSEC then sure, krb5_sname_to_principal() can canonicalize
via reverse name resolution.
Cheers,
Nico
--
More information about the krbdev
mailing list