I'm currently looking to configure a Kerberos V realm and wondering about the risk of having systems in my environment that are not in FQDN (Fully Qualified Domain Name). A lot of my search mention to use FQDN but doesn't mention what are the risk of not being in FQDN.
Kerberos Fully qualified domain name
5.4k Views Asked by burgergold At
1
There are 1 best solutions below
Related Questions in DNS
- Configured TTL for A record(s) backing CNAME records
- Redirecting subdomain to directory on Azure
- SPF and DKIM records for Mandrill on DigitalOcean
- How to convert hostname to DNS name?
- Could someone bring Google OAuth2 for Cloud DNS via Rest to light?
- Spoof Captive Portal Screen on an iOS Device using DNS
- DNS_PROBE_FINISHED_NXDOMAIN on Google App Engine website
- How to check if a redirect leads to a different domain
- IP address to Domain Name? DNS?
- error CS1729: The type `ARSoft.Tools.Net.Dns.DnsServer' does not contain a constructor that takes `4' arguments
- Windows, Apache, Acrylic DNS, and wildcard subdomains
- How to configure DNS for microsoft odbc driver for oracle (in 64 bit arch.)
- How to use one time domain name in android?
- logstash dns filter miss
- Redirect website to another website if blocked in particular region
Related Questions in KERBEROS
- Windows client damage authorization header (Kerberos) => IIS 400 (Bad Request)
- Configure Kerberos auth for TFS 2013
- Single Sign-On in Windows Applications using AD login
- C# RestSharp library and Kerberos authentication
- Hiveserver2 Kerberos
- Passing Kerberos ticket as parameter in SOAP web service call
- Spring security kerberos validate token error
- Hadoop Kerberos security
- Authenticate scripts on HDFS using key.tab file
- Making my own Kerberos Authentication Ticket
- Using Java 8 S4U2Proxy - A good example needed
- Connect to HBase using tunnel
- Hive Server2 ACID transactions not working
- How to specify the TGT kerberos ticket cache in beeline
- Java GSSAPI Credentials with Active Directory
Related Questions in FQDN
- Should I use the FQDN as the "domain" in Django's sites framework?
- Mimic FQDN on a home machine not on a domain
- Need to go from hostname to base domain
- LTE: how eNodeB selects a MME (FIRST attach)?
- MySQL Connection String Using FQDN
- Kerberos Fully qualified domain name
- differences between hostname and fully qualified domain name(FQDN)
- Setting up fully qualified domain name in Google Compute Instances
- Parsing several FQDNs from string
- Validate FQDN in C#
- Validate FQDN in C# using regex
- How to get fqdn of ip addresses in c#?
- ssl_error_rx_record_too_long - client and server SSL certs for the same IP
- Tomcat with 1-way and 2-way SSL
- Hostname of this host on the management network: Host name is not valid
Trending Questions
- UIImageView Frame Doesn't Reflect Constraints
- Is it possible to use adb commands to click on a view by finding its ID?
- How to create a new web character symbol recognizable by html/javascript?
- Why isn't my CSS3 animation smooth in Google Chrome (but very smooth on other browsers)?
- Heap Gives Page Fault
- Connect ffmpeg to Visual Studio 2008
- Both Object- and ValueAnimator jumps when Duration is set above API LvL 24
- How to avoid default initialization of objects in std::vector?
- second argument of the command line arguments in a format other than char** argv or char* argv[]
- How to improve efficiency of algorithm which generates next lexicographic permutation?
- Navigating to the another actvity app getting crash in android
- How to read the particular message format in android and store in sqlite database?
- Resetting inventory status after order is cancelled
- Efficiently compute powers of X in SSE/AVX
- Insert into an external database using ajax and php : POST 500 (Internal Server Error)
Popular Questions
- How do I undo the most recent local commits in Git?
- How can I remove a specific item from an array in JavaScript?
- How do I delete a Git branch locally and remotely?
- Find all files containing a specific text (string) on Linux?
- How do I revert a Git repository to a previous commit?
- How do I create an HTML button that acts like a link?
- How do I check out a remote Git branch?
- How do I force "git pull" to overwrite local files?
- How do I list all files of a directory?
- How to check whether a string contains a substring in JavaScript?
- How do I redirect to another webpage?
- How can I iterate over rows in a Pandas DataFrame?
- How do I convert a String to an int in Java?
- Does Python have a string 'contains' substring method?
- How do I check if a string contains a specific word?
It's not exactly a risk in the security sense, but it will create much confusion in configuring various clients and servers.
Kerberos depends on the ability of the client and server to agree on the service name to be used by some process that is outside the kerberos protocol. In other words if I want to use kerberos telnet to some host, I need to know in advance what service principal that host is using in it's /etc/krb5.keytab. There is no way in the kerberos protocol for the client to learn this.
By default kerberos clients usually do a gethostbyname, then gethostbyaddr on the ip address returned and then use that hostname to construct a service principal. This is where you will run into problems. You might try turning off DNS canonicalization altogether ( it's an option in krb5.conf ).
There is also the problem of default realm based on hostname, but that's a much simpler one to solve using values in /etc/krb5.conf.