On Fri, Apr 24, 2015 at 05:05:32PM -0500, Ben H wrote: > Nico - I'm not sure I understand your redirection statement. Is this from > a "man-in-the-middle" type perspective? The fact that each application > communicates over a specific port would be enough to direct to the correct > service, no?
Yes. No; I'm assuming no IPsec or anything else to provide protection for TCP packets. For some sets of protocols no redirection attack may be possible, but ideally the name of the services being different -and their having different keys- should ensure this for all possible sets of protocols on a host. Consider a database server running many users' databases. Surely you want each user to have a different service name (and service credentials) than all the others... Not only that, to host many per-user services one needs to make key management easy. One site I know of uses ${USER}.<server-fqdn> as the hostnames for per-user services, and they happily let any user get keys (different from the rest) for HTTP/${USER}.<server-fqdn> at the server's realm. Nico -- ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos