[32974] in Kerberos
Re: ssh to IP literal
daemon@ATHENA.MIT.EDU (Greg Hudson)
Mon Dec 20 00:03:06 2010
From: Greg Hudson <ghudson@mit.edu>
To: Russ Allbery <rra@stanford.edu>
In-Reply-To: <87y67ltv0m.fsf@windlord.stanford.edu>
Date: Mon, 20 Dec 2010 00:02:40 -0500
Message-ID: <1292821360.3219.36.camel@ray>
Mime-Version: 1.0
Cc: Victor Sudakov <vas@mpeks.no-spam-here.tomsk.su>,
"kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Sun, 2010-12-19 at 14:36 -0500, Russ Allbery wrote:
> It uses whatever one the client uses, in general.
Actually, as of MIT krb5 1.7, we usually ignore the principal sent by
the client, because it might be an alias. If the server application
doesn't specify a principal, we just try every entry in the keytab until
we find one which can decrypt the ticket.
(The exception is when we're using a keytab with no iterator methods,
such as the KDB keytab.)
> There are some services
> that limit what principals they'll accept to only that one principal that
> matches what the service thinks is the local hostname, but given how many
> problems this causes, an increasing number of services will accept any
> principal found in the system keytab.
This is still true.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
