"ms419" == ms419 <[EMAIL PROTECTED]> writes:ms419> Pardon this newbish question, but here's the setup: I want ms419> to distribute the keys for one host among two ms419> realms. Basically, I've got a sensitive service running on ms419> a couple of hosts, and a less secure service running on the ms419> same hosts. I want to store the keys for the sensitive ms419> service in one realm, and the keys for the others in ms419> another. Any problems with these premises?
Yes. Current Kerberos implementations assume a host belongs to one realm. You'll find it difficult to actually do this.
Note that this is an implementation issue; the Kerberos protocol specification itself says that a service may be registered in multiple realms. But there are also specifications which assume that the realm name -- or *a* realm name, I guess -- can be determined from the service name and host name through unspecified means. As far as I know, current implementations do that determination using the host name only.
I recommend having one KDC which is more secure than your most sensitive service.
This is probably best, if it can be arranged.
Ken
________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
