[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: your mail



On Thu, 20 Jul 2000, Bob Beck wrote:

> 	  No it isn't dug, it does *not* require two keys per host.
> All it does is try the fully qualified name *first* then fall back to
> using the short name if that does not work. Either is acceptable to it
> so it is *not* incompatible with the old behaviour.

it does require two keys, if you want to support both naming schemes.

adding that kind of thing for just the KDC spoofing check, without regard
for the naming issues in Kerberos in general (e.g. for service ticket
requests via mk_req(), etc.) is a gross hack. if you don't believe me,
feel free to submit the idea to comp.protocols.kerberos and the KTH krb4
mailing list (krb4_(_at_)_sics_(_dot_)_se) for a second opinion...

-d.

---
http://www.monkey.org/~dugsong/