[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IP address?



--On Saturday, April 12, 2008 12:53:56 PM +0100 Markus Moeller 
<huaraz@moeller.plus.com> wrote:

> Michael,
>
> I don't think your statement:
>
> That's ingrained into the protocol.
>
> is correct. AFAIK it is nowhere in the Kerberos (nor ssh) protocol
> defined that you have to use DNS names for the principals.

RFC4462 section 7.1 specifies the use of GSS-API host-based service names 
for SSH.  If you read the language in that section and in RFC2743 section 
4.1, it is fairly clear that the use of fully-qualified domain names is 
intended.

Kerberos itself certainly does not require the use of principal names of 
any particular form, but applications using Kerberos, GSS-API, and/or SASL 
generally do, because agreement on the correct principal name form is 
required for interoperability.

-- Jeff