[345] in Kerberos
Re: Converting a hostname into its realm
daemon@TELECOM.MIT.EDU (Steve Miller)
Mon Apr 4 14:44:30 1988
From: miller%erlang.DEC@DECWRL.DEC.COM (Steve Miller)
To: kerberos@ATHENA.MIT.EDU, MILLER%erlang.DEC@DECWRL.DEC.COM
Two comments -
First, I would not assume a one-to-one mapping from domain name to
Kerberos realm. We intentionally did NOT use domains as management units
to allow flexibility in configuring security management. So if you do
a mapping, it should be from a full host name to Kerberos realm. You might
want to try to optimize this by first trying a domain name based translation,
with backup provision of some sort for a host name based translation.
Second, in terms of security, it shouldn't make any differences. If the
realm name is wrong, it could result in a denial of service,
since you couldn't discover what Kerberos realm to talk to. In order to
prevent a service from being spoofed, the mutual authentication option of
Kerberos should be used -- but this is true whether within a single realm
or across realms. The only difference is that if the realm is looked up
transparently behind the users back, it is easier for them to believe they
are talking to the right realm and server when indeed they are talking to a
different realm and server.
Steve.
