[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IP address?


I don't think your statement:

That's ingrained into the protocol.

is correct. AFAIK it is nowhere in the Kerberos (nor ssh) protocol defined 
that you have to use DNS names for the principals.
The use of DNS is more a convention to make it easier to use the right 

----- Original Message ----- 
From: "Michael B Allen" <miallen@ioplex.com>
To: "Paul Lathrop" <plathrop@digg.com>
Cc: <heimdal-discuss@sics.se>
Sent: Friday, April 11, 2008 10:41 PM
Subject: Re: IP address?

> On Fri, 11 Apr 2008 14:08:33 -0700
> Paul Lathrop <plathrop@digg.com> wrote:
>> Hash: SHA1
>> Hi,
>> This may be a stupid question, but I'm trying to wrap my head around how
>> this works. In a Kerberos environment, can you use IP addresses instead
>> of host names? For instance, if I enable GSSAPI in ssh, can I do
>> something like:
>> ssh
>> and have Kerberos request a ticket for host/ ?
> Hi Paul,
> I don't think that would work. Even if you created a principal with an
> IP in the name, I think some clients would try to convert the IP to a
> name or wouldn't even try to do kerberos if the target looked like an IP.
> Kerberos clients need a name to initiate authentication. That name is
> usually built from the target hostname. That's ingrained into the
> protocol.
> Mike
> -- 
> Michael B Allen
> PHP Active Directory SPNEGO SSO
> http://www.ioplex.com/