[32959] in Kerberos
Re: ssh to IP literal
daemon@ATHENA.MIT.EDU (Nicolas Williams)
Mon Dec 13 13:15:40 2010
Date: Mon, 13 Dec 2010 12:14:40 -0600
From: Nicolas Williams <Nicolas.Williams@oracle.com>
To: Greg Hudson <ghudson@mit.edu>
Message-ID: <20101213181439.GB29086@oracle.com>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <1292263397.20307.444.camel@ray>
Cc: "kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Mon, Dec 13, 2010 at 01:03:17PM -0500, Greg Hudson wrote:
> On Mon, 2010-12-13 at 00:34 -0500, Russ Allbery wrote:
> > Well, it poses a problem for domain to realm mappings, as you've seen.
>
> What Russ says is true, but on top of that, the Kerberos library also
> needs to know what service ticket to ask for. It's likely that the
> client tried to get tickets for host/10.14.134.5@defaultrealm before
> falling back to guessing 14.134.5 as the realm.
>
> The proximal issue is that you need a reverse DNS entry for 10.14.134.5.
> (Reliance on DNS for this purpose is a long-standing security issue, but
> we still do it.)
When an app resolves a user-given IP address to a name which is then
used for authentication purposes, the app should prompt the user as to
whether the name is the one the user had intended. Most non-browser
apps don't really do that.
Nico
--
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
