I have not seen a really correct reply about this "how many dots" topic so
here goes.
Kerberos V4 from MIT, as shipped, only allows you to put one dot in a
principal instance pair. However the database and most of the associated
libraries do not have any restriction on them. I mean if you had fully
qualified instances (i.e rcmd.host.domain.name) in the kerberos database the
utilities would use it just fine. The bug/problem was trying to put it in
the database. CMU has been doing this for so long that many people have
probably forgotten that this was one of their long standing patches.
The only patch required to make it fully qualified host names work in
Kerberos V4 was the following;
Randall
rcsdiff -u src/lib/krb/kname_parse.c
===================================================================
RCS file: src/lib/krb/RCS/kname_parse.c,v
retrieving revision 1.2
diff -u -r1.2 src/lib/krb/kname_parse.c
--- 1.2 1994/06/17 22:06:42
+++ src/lib/krb/kname_parse.c 1998/01/20 18:41:39
@@ -93,8 +93,13 @@
wnext = ip;
break;
case INST:
+#if 1 /* Allow dots in an instance (FQDN) */
+ *wnext++ = c;
+ break;
+#else
return KNAME_FMT;
/* break; */
+#endif
case REALM:
*wnext++ = c;
break;
@@ -159,8 +164,12 @@
backslash = 1;
break;
case '.':
+#if 1 /* Allow dots in an instance (FQDN) */
+ break;
+#else
return 0;
/* break; */
+#endif
case '@':
return 0;
/* break; */
On Sat, 17 Jan 1998, Jeffrey Hutzelman wrote:
: > >If I'm understanding correctly what several people have pointed out,
: > >standard Kerberos allows periods in user names.
: >
: > Actually ... I believe that MIT v4 only allows _one_ period (without
: > any escapes). A minor nit, true ... but it could be crucial :-)
:
: I'm not sure what you mean by "allows" here. We ran an MIT kerberos
: server for many years before we converted to V5 last summer. We always
: use long hostnames in rcmd principals, so we had lots of principals
: whose instances contained dots. I suppose you could theoretically
: have a principal name which contained a dot, but it wouldn't be very
: useful, as all of the tools and a some library routines assume that the
: name part ends at the first dot.
:
: V5 deals with this in a different manner. In V5, a principal is named
: by one or more slash-separated parts. The most common cases are those
: with only one part (a username), or those with two parts, where the
: second is a hostname, service instance, or user instance. No part can
: contain a slash, but apparently a principal name can contain more than
: one part. Caveat: I've never actually tried that; YMMV.
:
: -- Jeffrey T. Hutzelman (N3NHS) <[EMAIL PROTECTED]>
: Systems Programmer
: School of Computer Science - Research Computing Facility
: Carnegie Mellon University - Pittsburgh, PA
:
:
