Pardon this newbish question, but here's the setup: I want to distribute the keys for one host among two realms. Basically, I've got a sensitive service running on a couple of hosts, and a less secure service running on the same hosts. I want to store the keys for the sensitive service in one realm, and the keys for the others in another. Any problems with these premises?

So, I know Kerberos picks the realm in which to find a key based on the hostname - the mapping is based on the hostname. I also know Kerberos uses a host's FQDN - reverse lookup on IP, so if my host has only one IP, it has only one FQDN. I hoped maybe Kerberos grabbed a key using the FQDN, but picked the realm using the hostname in the request. So I created an alias "blue.tint". My server's FQDN is "blue.shade". I hoped connecting to "blue.shade" would use the key "snstv/[EMAIL PROTECTED]", while connecting to "blue.tint" would use the key "inscr/[EMAIL PROTECTED]". It doesn't work this way. Wisely, I guess. But why can't I specify a mapping to realm using all of the sought principal? snstv/* -> SHADE, inscr/* -> TINT?

So my question is, short of giving a host two IP addresses, can I get it using keys from two different realms? Or is this just silly?

Thanks!

Jack

________________________________________________
Kerberos mailing list           [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos

Reply via email to