In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] (Jeffrey Hutzelman) wrote:
> On Saturday, April 10, 2004 16:47:21 +0000 Donn Cave <[EMAIL PROTECTED]> > wrote: > > > It depends on your client software. All you need to do is resolve the > > addresses to canonical host name first, and use the resolved name for > > both the client connect and the service ticket. > > Careful here... Using insecure DNS to compute a service principal name is > asking for trouble. You're OK if, as suggested, you compare the resulting > name to a list of known valid servers, but that's a fair bit of work and > most software that does reverse resolution to determine service names > either can't or doesn't do it. I believe we're more or less always asking for this trouble. If you don't get a canonical, reverse looked-up name back out of MIT Kerberos krb5_sname_to_principal(), then you're doing something different than me. Given that implementation, you're going to do the reverse lookup anyway, so the only question is whether it would be convenient to actually connect to the same host. I assume so, that's why I'd propose to look up the canonical name in the application. Donn Cave, [EMAIL PROTECTED] ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos