[28835] in Kerberos
Re: Kerberos 5 and DNS aliases
daemon@ATHENA.MIT.EDU (Jacob Welsh)
Sun Dec 2 13:48:55 2007
Message-ID: <4752FDF2.60906@gmail.com>
Date: Sun, 02 Dec 2007 13:48:18 -0500
From: Jacob Welsh <welshjf@gmail.com>
MIME-Version: 1.0
To: Simon Wilkinson <simon@sxw.org.uk>
In-Reply-To: <3279439054.3727999@relay.gradwell.net>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Simon Wilkinson wrote:
>> If so, why does the available name depend on the `hostname` setting without any change in the DNS?
>>
>
> Because the server picks the acceptor principal to use for incoming connections by resolving the machine's hostname. You can disable this behaviour, and permit any principal[1] whose key is in the default keytab by using a recent version, and setting GSSAPIStrictAcceptorCheck to 'no'
>
This appears to be only supported through your patch
(http://www.sxw.org.uk/computing/patches/openssh.html). Are there plans
for including this option in mainline openssh soon?
-Jacob
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
