requiring canonical hostnames

James Matthews matthews at
Fri Aug 20 17:50:30 EDT 2004

Our kerberized Mac FTP client (Fetch) does a reverse name lookup of 
the server's IP address to get a canonical hostname before requesting 
tickets from Kerberos.  Some users are in situations where reverse 
name lookup for the server address fails, and currently that prevents 
Fetch from making GSS Kerberos logins.  Would there be adverse 
security implications to having Fetch fall back on using the hostname 
entered by the user when reverse name lookup fails?  Apple's Mail and 
AFP clients appear to work in this case, which makes me suspect that 
they are using this (or some other) work-around.

Jim Matthews
Fetch Softworks

More information about the krbdev mailing list