[32958] in Kerberos
Re: ssh to IP literal
daemon@ATHENA.MIT.EDU (Greg Hudson)
Mon Dec 13 13:03:32 2010
From: Greg Hudson <ghudson@mit.edu>
To: Russ Allbery <rra@stanford.edu>
In-Reply-To: <8739q2dynd.fsf@windlord.stanford.edu>
Date: Mon, 13 Dec 2010 13:03:17 -0500
Message-ID: <1292263397.20307.444.camel@ray>
Mime-Version: 1.0
Cc: "kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Mon, 2010-12-13 at 00:34 -0500, Russ Allbery wrote:
> Well, it poses a problem for domain to realm mappings, as you've seen.
What Russ says is true, but on top of that, the Kerberos library also
needs to know what service ticket to ask for. It's likely that the
client tried to get tickets for host/10.14.134.5@defaultrealm before
falling back to guessing 14.134.5 as the realm.
The proximal issue is that you need a reverse DNS entry for 10.14.134.5.
(Reliance on DNS for this purpose is a long-standing security issue, but
we still do it.)
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
