In article <[EMAIL PROTECTED]>, Fredrik Tolf <[EMAIL PROTECTED]> wrote:
> On Tue, 2005-01-18 at 18:45 -0500, Roland Dowdeswell wrote: > > On 1106079270 seconds since the Beginning of the UNIX epoch > > Fredrik Tolf wrote: > > > > > > > >I came up with a fairly simple solution that would be to add, to inetd > > >on each host, a simple program that just echoes to the connecting host > > >what that host's perception of its own FQDN is. Then I'd write a simple > > >nsswitch module for gethostbyaddr (possibly with some kind of config > > >file so that it never tries for hosts that aren't supposed to be part of > > >this) that connects to this service on the address that it is supposed > > >to canonicalize. > > > > You could always do what Heimdal does which is use ai->ai_canonname > > rather than performing a reverse lookup. Unfortunately, this strategy > > is not followed by 3rd party vendors such as OpenSSH. > > I'm sorry if I'm wrong, but doesn't getaddrinfo get ai_canonname by > doing a reverse lookup? When I tried it out, at least that is what > happened. It depends on the platform. The GNU getaddrinfo implementation does. I'm assuming AI_CANONNAME in ai_flags. NetBSD 2.0, AIX 5.2 don't, they stop at what you'd get from gethostbyname() -- they look up CNAME aliases but don't look up the IP PTR. Also might be worth mentioning that the MIT implementation also uses this in several places, though in the critical sname_to_principal() function it uses getnameinfo for the lookup. Secure DNS would be nice for all this. Donn Cave, [EMAIL PROTECTED] ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
