[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IP address?

To: <heimdal-discuss@sics.se>, "Michael B Allen" <miallen@ioplex.com>, "Paul Lathrop" <plathrop@digg.com>
Subject: Re: IP address?
From: "Markus Moeller" <huaraz@moeller.plus.com>
Date: Sat, 12 Apr 2008 12:53:56 +0100
Cc: <heimdal-discuss@sics.se>
In-Reply-To: <20080411174103.3deb6259.miallen@ioplex.com>
List-Archive: <http://list.sics.se/sympa/arc/heimdal-discuss>
List-Help: <mailto:sympa@sics.se?subject=help>
List-Id: <heimdal-discuss.sics.se>
List-Owner: <mailto:heimdal-discuss-request@sics.se>
List-Post: <mailto:heimdal-discuss@sics.se>
List-Subscribe: <mailto:sympa@sics.se?subject=subscribe%20heimdal-discuss>
List-Unsubscribe: <mailto:sympa@sics.se?subject=unsubscribe%20heimdal-discuss>
References: <47FFD351.4080105@digg.com> <20080411174103.3deb6259.miallen@ioplex.com>
Reply-To: heimdal-discuss@sics.se, "Markus Moeller" <huaraz@moeller.plus.com>

Michael,

I don't think your statement:

That's ingrained into the protocol.

is correct. AFAIK it is nowhere in the Kerberos (nor ssh) protocol defined 
that you have to use DNS names for the principals.
The use of DNS is more a convention to make it easier to use the right 
principal.

Markus
----- Original Message ----- 
From: "Michael B Allen" <miallen@ioplex.com>
To: "Paul Lathrop" <plathrop@digg.com>
Cc: <heimdal-discuss@sics.se>
Sent: Friday, April 11, 2008 10:41 PM
Subject: Re: IP address?


> On Fri, 11 Apr 2008 14:08:33 -0700
> Paul Lathrop <plathrop@digg.com> wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Hi,
>>
>> This may be a stupid question, but I'm trying to wrap my head around how
>> this works. In a Kerberos environment, can you use IP addresses instead
>> of host names? For instance, if I enable GSSAPI in ssh, can I do
>> something like:
>>
>> ssh 192.168.1.1
>>
>> and have Kerberos request a ticket for host/192.168.1.1@MY.REALM ?
>
> Hi Paul,
>
> I don't think that would work. Even if you created a principal with an
> IP in the name, I think some clients would try to convert the IP to a
> name or wouldn't even try to do kerberos if the target looked like an IP.
>
> Kerberos clients need a name to initiate authentication. That name is
> usually built from the target hostname. That's ingrained into the
> protocol.
>
> Mike
>
> -- 
> Michael B Allen
> PHP Active Directory SPNEGO SSO
> http://www.ioplex.com/
>

Follow-Ups:
- Re: IP address?
  - From: Michael B Allen <miallen@ioplex.com>
- Re: IP address?
  - From: Jeffrey Hutzelman <jhutz@cmu.edu>

References:
- IP address?
  - From: Paul Lathrop <plathrop@digg.com>
- Re: IP address?
  - From: Michael B Allen <miallen@ioplex.com>

Prev by Date: Re: Kerberos 4 enabled but no realm configured
Next by Date: Re: IP address?
Prev by thread: Re: IP address?
Next by thread: Re: IP address?
Index(es):
- Date
- Thread