[32973] in Kerberos
Re: ssh to IP literal
daemon@ATHENA.MIT.EDU (Russ Allbery)
Sun Dec 19 14:36:31 2010
From: Russ Allbery <rra@stanford.edu>
To: Victor Sudakov <vas@mpeks.no-spam-here.tomsk.su>
In-Reply-To: <ielblq$2uaj$1@relay.tomsk.ru> (Victor Sudakov's message of "Sun,
19 Dec 2010 16:25:30 +0000 (UTC)")
Date: Sun, 19 Dec 2010 11:36:25 -0800
Message-ID: <87y67ltv0m.fsf@windlord.stanford.edu>
MIME-Version: 1.0
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Victor Sudakov <vas@mpeks.no-spam-here.tomsk.su> writes:
> Russ Allbery wrote:
>> If you add an explicit domain_realm mapping for each IP address to the
>> [domain_realm] section of your krb5.conf file, it will probably work, but
>> it's generally a much better idea to use real host names (possibly in some
>> private domain ending in .local or some similar marker).
> I see. Do I need a real DNS or perhaps /etc/hosts will do? I share
> /etc/hosts as a NIS map.
/etc/hosts should be fine.
> And another question. If a Kerberos-enabled server has several
> principals in its keytab, how exactly does it decide which one to
> use?
It uses whatever one the client uses, in general. There are some services
that limit what principals they'll accept to only that one principal that
matches what the service thinks is the local hostname, but given how many
problems this causes, an increasing number of services will accept any
principal found in the system keytab.
--
Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
