Possible to use only IP addresses in MIT Kerberos (ie: disable DNS name resolution)?

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Possible to use only IP addresses in MIT Kerberos (ie: disable DNS name resolution)?

rchowneltura
Hi, I am investigating kerberizing of our application using
MIT Kerberos5.  Due to the nature of our application,
we cannot use DNS and must use host IP addresses
instead of hostnames during authentication.

However (I'm a Kerberos newbie), there doesn't seem
to be a way to disable name resolution.  For example,
I can't specify IP addresses for the KDC/kadmind
host in krb5.conf, it doesn't seem to work.

Has anybody had success in configuring only IP addresses
in MIT Kerberos5, or perhaps give me any tips?

Thanks, Richard

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Possible to use only IP addresses in MIT Kerberos (ie: disable DNS name resolution)?

Paul Vixie-2
[hidden email] writes:

> Has anybody had success in configuring only IP addresses
> in MIT Kerberos5, or perhaps give me any tips?

when i had to deploy krb5 without dns, i had to distribute an /etc/hosts file.
--
Paul Vixie
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Possible to use only IP addresses in MIT Kerberos (ie: disable DNS name resolution)?

Brian Davidson
My understanding is that the process for determining what service
principal to obtain for a server involves doing gethostbyaddr(
gethostbyname() ).  That is, find the IP for the given host, and then
find the name associated with that IP.  Then ask the KDC for a ticket
for host/name.

So, you don't have to use DNS, but you must have resolvable names.

Brian

On Nov 23, 2005, at 10:28 PM, Paul Vixie wrote:

> [hidden email] writes:
>
>> Has anybody had success in configuring only IP addresses
>> in MIT Kerberos5, or perhaps give me any tips?
>
> when i had to deploy krb5 without dns, i had to distribute an
> /etc/hosts file.
> --
> Paul Vixie

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Possible to use only IP addresses in MIT Kerberos (ie: disable DNS name resolution)?

Fredrik Tolf
In reply to this post by rchowneltura
On Wed, 2005-11-23 at 09:43 -0800, [hidden email] wrote:
> Hi, I am investigating kerberizing of our application using
> MIT Kerberos5.  Due to the nature of our application,
> we cannot use DNS and must use host IP addresses
> instead of hostnames during authentication.

I believe that host names are required for Kerberos operation, since
they are used in the service principal names.

However, host names aren't necessarily transferred over DNS. I also have
this problem when using services over IPv6, and to help out, I
implemented the FQDN over ICMP service for Linux. If you, too, are using
Linux, you can use the program:

<http://www.dolda2000.com/~fredrik/icmp-dn/>

FQDN over ICMP is specified in RFC 1788 -- it's just that neither the
Linux kernel nor any standard glibc NSS module implements it. Meaning:
It's not just some homebrew protocol of mine, but an open standard. I
don't think Windows supports it, but I'm fairly sure that it would work
when talking to *BSD machines.

Fredrik Tolf


________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Possible to use only IP addresses in MIT Kerberos (ie: disable DNS name resolution)?

Jeremy Hunt-2
In reply to this post by rchowneltura
Including the following entry in the libdefaults section of krb5.conf
    dns_lookup_kdc = false
will probably work.
and if you don't want dns for the realm either, then add the following
entry as well:
    dns_lookup_realm = false

See /krb5/man/man5/krb5.conf.5 for details.


[hidden email] wrote:

> [safeTgram (optim1) receive status: NOT encrypted, NOT signed.]
>
>
> Hi, I am investigating kerberizing of our application using
> MIT Kerberos5.  Due to the nature of our application,
> we cannot use DNS and must use host IP addresses
> instead of hostnames during authentication.
>
> However (I'm a Kerberos newbie), there doesn't seem
> to be a way to disable name resolution.  For example,
> I can't specify IP addresses for the KDC/kadmind
> host in krb5.conf, it doesn't seem to work.
>
> Has anybody had success in configuring only IP addresses
> in MIT Kerberos5, or perhaps give me any tips?
>
> Thanks, Richard
>
> ________________________________________________
> Kerberos mailing list           [hidden email]
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
>
>  

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos