Date: 27 Jul 2000 15:16:01 -0400 From: Nat Lanza <magus@cs.cmu.edu> To: Damien Tougas <damien@tougas.net> Cc: freebsd-security@freebsd.org Subject: Re: Kerberos and DHCP Message-ID: <uocem4fwfim.fsf@evelake.pdl.cs.cmu.edu> In-Reply-To: Damien Tougas's message of "Thu, 27 Jul 2000 14:41:01 -0400" References: <20000727144100.A30282@tougas.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Damien Tougas <damien@tougas.net> writes: > I don't know alot about kerberos, and was wondering if someone could > answer a question for me. It is my understanding that kerberos depends > on a host key for autentication, and that the host key is tied to the > hostname of the client. If that is the case, how is it possible to use > kerberos with a client computer that connects via dhcp? I think you're confusing "uses DHCP" with "does not have a static IP address". It's definitely possible to configure DHCP such that a machine will always be given the same IP address. CMU does this; when I plug my wavelan card into my laptop, it will always be 'pellerin.wv.cc.cmu.edu', even though it's using DHCP. The difficulty with kerberos is dynamic addresses, and even that is only a problem in some cases. You need a host key if you want to authenticate the host -- for example, a kerberized ssh connection to host foo.cs.cmu.edu wants to make sure that the entity claiming to be foo.cs.cmu.edu really is the real foo.cs.cmu.edu and not an impostor, so it uses foo's host key. If you just want to use the machine for outbound connections, where you're more interested in authenticating the user than the host, then you don't really need a host key. My laptop exists on three networks (as pellerin.pdl.cs.cmu.edu, pellerin.wv.cc.cmu.edu, and pellerin.rem.cmu.edu), depending on where I am. I don't have a host key on it, and I can still make outbound kerberized ssh and telnet connections, authenticate to AFS, and run various kerberos-aware tools like zephyr in all three networks without problems. So basically you only really need to care about a host key when the machine is a server. If you only have a dynamic address for the machine, then it's unlikely that you want to use it as a server, so you're fine. --nat -- nat lanza --------------------- research programmer, parallel data lab, cmu scs magus@cs.cmu.edu -------------------------------- http://www.cs.cmu.edu/~magus/ there are no whole truths; all truths are half-truths -- alfred north whitehead To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?uocem4fwfim.fsf>