[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IP address?

To: "Markus Moeller" <huaraz@moeller.plus.com>
Subject: Re: IP address?
From: Michael B Allen <miallen@ioplex.com>
Date: Sat, 12 Apr 2008 10:18:26 -0400
Cc: <heimdal-discuss@sics.se>, "Paul Lathrop" <plathrop@digg.com>
In-Reply-To: <5AD76B9552FE4027ACFD3FA66F0B4EE4@VAIOLaptop>
List-Archive: <http://list.sics.se/sympa/arc/heimdal-discuss>
List-Help: <mailto:sympa@sics.se?subject=help>
List-Id: <heimdal-discuss.sics.se>
List-Owner: <mailto:heimdal-discuss-request@sics.se>
List-Post: <mailto:heimdal-discuss@sics.se>
List-Subscribe: <mailto:sympa@sics.se?subject=subscribe%20heimdal-discuss>
List-Unsubscribe: <mailto:sympa@sics.se?subject=unsubscribe%20heimdal-discuss>
Organization: IOPLEX Software
References: <47FFD351.4080105@digg.com><20080411174103.3deb6259.miallen@ioplex.com><5AD76B9552FE4027ACFD3FA66F0B4EE4@VAIOLaptop>
Reply-To: heimdal-discuss@sics.se, Michael B Allen <miallen@ioplex.com>

On Sat, 12 Apr 2008 12:53:56 +0100
"Markus Moeller" <huaraz@moeller.plus.com> wrote:

> Michael,
> 
> I don't think your statement:
> 
> That's ingrained into the protocol.
> 
> is correct. AFAIK it is nowhere in the Kerberos (nor ssh) protocol defined 
> that you have to use DNS names for the principals.
> The use of DNS is more a convention to make it easier to use the right 
> principal.

I never said anything about DNS.

> ----- Original Message ----- 
> From: "Michael B Allen" <miallen@ioplex.com>
> To: "Paul Lathrop" <plathrop@digg.com>
> Cc: <heimdal-discuss@sics.se>
> Sent: Friday, April 11, 2008 10:41 PM
> Subject: Re: IP address?
> 
> 
> > On Fri, 11 Apr 2008 14:08:33 -0700
> > Paul Lathrop <plathrop@digg.com> wrote:
> >
> >> -----BEGIN PGP SIGNED MESSAGE-----
> >> Hash: SHA1
> >>
> >> Hi,
> >>
> >> This may be a stupid question, but I'm trying to wrap my head around how
> >> this works. In a Kerberos environment, can you use IP addresses instead
> >> of host names? For instance, if I enable GSSAPI in ssh, can I do
> >> something like:
> >>
> >> ssh 192.168.1.1
> >>
> >> and have Kerberos request a ticket for host/192.168.1.1@MY.REALM ?
> >
> > Hi Paul,
> >
> > I don't think that would work. Even if you created a principal with an
> > IP in the name, I think some clients would try to convert the IP to a
> > name or wouldn't even try to do kerberos if the target looked like an IP.
> >
> > Kerberos clients need a name to initiate authentication. That name is
> > usually built from the target hostname. That's ingrained into the
> > protocol.

References:
- IP address?
  - From: Paul Lathrop <plathrop@digg.com>
- Re: IP address?
  - From: Michael B Allen <miallen@ioplex.com>
- Re: IP address?
  - From: "Markus Moeller" <huaraz@moeller.plus.com>

Prev by Date: Re: IP address?
Next by Date: Re: IP address?
Prev by thread: Re: IP address?
Next by thread: Re: IP address?
Index(es):
- Date
- Thread