[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Turning off hostname canonicalisation

To: Markus Moeller <huaraz@moeller.plus.com>
Subject: Re: Turning off hostname canonicalisation
From: Buck Huppmann <buckh@pobox.com>
Date: Tue, 13 Sep 2005 07:11:25 -0400
Cc: heimdal-discuss@sics.se, krbdev@mit.edu
In-Reply-To: <20050912221049.GA16511@dsl092-173-085.wdc2.dsl.speakeasy.net>
References: <6913CBA5-ADC0-430D-9ECC-7B83D018F0A8@mit.edu> <43222A05.4050607@mit.edu> <1126313407.5848.328.camel@amy.flyaway.abartlet.net> <43223044.8070309@mit.edu> <24A32B8D6AD8D678E72C9115@bistromath.pc.cs.cmu.edu> <1126329132.13543.10.camel@amy.flyaway.abartlet.net> <4322B7F7.9090604@mit.edu> <1126348877.13543.27.camel@amy.flyaway.abartlet.net> <18c801c5b607$a7b1f090$0801a8c0@home> <20050912221049.GA16511@dsl092-173-085.wdc2.dsl.speakeasy.net>
Sender: owner-heimdal-discuss@sics.se
User-Agent: Mutt/1.3.28i

On Mon, Sep 12, 2005 at 06:10:49PM -0400, Buck Huppmann wrote:

> of course, what would really be nice would be some Kerberos extensions
> to DNS so you could trust DNS and then specify how Kerberos implementa-
. . .

i'm sorry. i suppose one of the worst ideas to ever hit these lists is
to marry a security system like kerberos and DNS. forget i said that

nevertheless, i think the problem of doing any naming manipulations or 
trying to take bits from DNS (or whatever name service) and match them
up against kerberos principal name (components) belongs at a higher
level of the stack. as for the issue of canonicalization and that lead-
ing to server redirection and kerberos allowing that, again, i don't
think that's kerberos' business, and, if web server admins can distri-
bute X.509 certficates so that all their CNAME-sharing hosts' httpd's
can still authenticate as the same server, then kerberos admins should
be able to sling keytab entries similarly

References:
- Re: Turning off hostname canonicalisation
  - From: Ken Raeburn <raeburn@MIT.EDU>
- Re: Turning off hostname canonicalisation
  - From: Andrew Bartlett <abartlet@samba.org>
- Re: Turning off hostname canonicalisation
  - From: Andrew Bartlett <abartlet@samba.org>
- Re: Turning off hostname canonicalisation
  - From: Andrew Bartlett <abartlet@samba.org>
- Re: Turning off hostname canonicalisation
  - From: "Markus Moeller" <huaraz@moeller.plus.com>
- Re: Turning off hostname canonicalisation
  - From: Buck Huppmann <buckh@pobox.com>

Prev by Date: [SAMBA4][PATCH] Provide a hook for Samba4 into gsskrb5_init_context
Next by Date: Re: Turning off hostname canonicalisation
Prev by thread: Re: Turning off hostname canonicalisation
Next by thread: Re: Turning off hostname canonicalisation
Index(es):
- Date
- Thread