> Date: Sun, 7 Apr 2013 02:27:32 -0400 > From: [email protected] > To: [email protected] > CC: [email protected] > Subject: Re: openssh/mit kerberos and numeric host address > > On 04/06/2013 02:50 AM, 王剑 wrote: > > - retval = krb5int_clean_hostname(context, host, local_host, sizeof > > local_host); > > - if (retval) > > - return retval; > > + krb5int_clean_hostname(context, host, local_host, sizeof local_host); > > Looking at the history of this code, the intent since krb5 1.3 has been > to forbid IP-address hostname components in host-based service > principals. It happens that in krb5 1.6, we factored out the > numeric-address check and then neglected to check for errors when > calling the helper function. But in krb5 1.3-1.5 and 1.7+, we return an > error. > > KfW 3.2 was based on krb5 1.6. OSX 10.6 may also use krb5 1.6 (I > believe the switch to Heimdal was in OSX 10.7). > > All that said, I'm not sure why we should have this check. If an > environment (such as yours) really wants to use numeric addresses in > service principals, I don't see why we should get in the way. I'll > bring it up at our next team meeting and consider removing it. I don't > think we'll go as far as creating an IP address prefix to realm mapping, > though. >
IP prefix to realm mapping is only useful when using IP addresses to login to multiple realms, and this scenario is rare so not a big deal. In my case, I have my own realm for my home servers and gadgets (gateway, media player, etc). Thanks and looking forward to your followup on this one. (It seems that outlook.com swallowed my last reply yesterday. This is a RESEND) ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
