On Mon, Dec 13, 2010 at 01:03:17PM -0500, Greg Hudson wrote: > On Mon, 2010-12-13 at 00:34 -0500, Russ Allbery wrote: > > Well, it poses a problem for domain to realm mappings, as you've seen. > > What Russ says is true, but on top of that, the Kerberos library also > needs to know what service ticket to ask for. It's likely that the > client tried to get tickets for host/10.14.13...@defaultrealm before > falling back to guessing 14.134.5 as the realm. > > The proximal issue is that you need a reverse DNS entry for 10.14.134.5. > (Reliance on DNS for this purpose is a long-standing security issue, but > we still do it.)
When an app resolves a user-given IP address to a name which is then used for authentication purposes, the app should prompt the user as to whether the name is the one the user had intended. Most non-browser apps don't really do that. Nico -- ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos