Miguel Sanders <[EMAIL PROTECTED]> writes: > I was just wondering how Kerberos reacts to IP aliases (virtual IP > addresses). Do you have to create a host principal for the virtual > hostname aswell?
Generally, yes. Kerberos itself doesn't know anything about such things and just authenticates whatever principal the client uses using its keys. However, the client has to know what the server identity is in order to authenticate. While it's possible to make the user explicitly specify an identity, that's unusual and in practice the client usually guesses based on the hostname. In some cases the client will just use whatever hostname is given on the command line, but in many cases it will do a forward and reverse DNS lookup to canonicalize the hostname (although this is less secure if you can't trust DNS, and most people can't). So in practice the server needs to have a key for all identities that might result from either of those approaches. -- Russ Allbery ([EMAIL PROTECTED]) <http://www.eyrie.org/~eagle/> ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
