[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Turning off hostname canonicalisation



On Mon, Sep 12, 2005 at 06:10:49PM -0400, Buck Huppmann wrote:

> of course, what would really be nice would be some Kerberos extensions
> to DNS so you could trust DNS and then specify how Kerberos implementa-
. . .

i'm sorry. i suppose one of the worst ideas to ever hit these lists is
to marry a security system like kerberos and DNS. forget i said that

nevertheless, i think the problem of doing any naming manipulations or 
trying to take bits from DNS (or whatever name service) and match them
up against kerberos principal name (components) belongs at a higher
level of the stack. as for the issue of canonicalization and that lead-
ing to server redirection and kerberos allowing that, again, i don't
think that's kerberos' business, and, if web server admins can distri-
bute X.509 certficates so that all their CNAME-sharing hosts' httpd's
can still authenticate as the same server, then kerberos admins should
be able to sling keytab entries similarly