I'm currently looking to configure a Kerberos V realm and wondering about the risk of having systems in my environment that are not in FQDN (Fully Qualified Domain Name). A lot of my search mention to use FQDN but doesn't mention what are the risk of not being in FQDN.
Kerberos Fully qualified domain name
5.4k Views Asked by burgergold At
1
There are 1 best solutions below
Related Questions in DNS
- AWS Dns record A not navigate to elb
- I created a domain name from cloudflare, and Hoisted my static site hosted in google firebase, error in adding custom domain in firebase
- I am the domain admin, newbie, how do I connect youtube.com on my domain?
- The problem with raising the DNS server on Ubuntu 20.04 - bind9
- I registered a service in eureka which is resolving through java code. But it is not able to resolve its name when hitting through chrome or postman
- Assigned A record for Subdomain in Cloud DNS to Compute Engine VM instance but not propagated/resolved yet
- Why Bind9 responds with latency for RPZ rule?
- Create aws certification for domain
- Make Bind DNS server to request only root DNS servers of IANA website
- Domain Still Redirecting Despite Transferring Out of Godaddy
- Set up MX records in apache/Ubuntu to point to external mail server
- Changing AWS registred domain back to AWS name servers
- Docker networking forwarding failed
- Can access IP address of domain via mobile but not wifi
- CURL got Could not resolve host: my subdomain
Related Questions in KERBEROS
- Jndi connect to LDAP by GssApi KrbException: Server not found in Kerberos database (7)
- Kerberos Authentication for an API
- SASL GSSAPI: ldap_sasl_interactive_bind : Other error (80) no credentials supplied
- SQL Server Kerberos authentication
- How do I obtain a user's domain in nginx during authentication through AD with Kerberos?
- Kerberos ticket validity
- Unable to create Kafka Consumer using Kerberos Authentication System
- Does DataGrip Support Postgres Authentication with Kerberos?
- Setting up SOLR authentication kerebos plugin
- Authenticating and transferring files to the shared drive using Kerberos auth via SMB in Python
- Resolving Kerberos vs NTLM Authentication Issue in Cross-Domain SQL Server Connection
- Git clone failed with Krb5LoginModule error - JNA Library
- SPNEGO/GSS-API Golang packages for Kerberos authentication on MacOS
- VBA MSXML2.ServerXMLHTTP60 Web Request with Kerberos Authentication
- Deserializing a Kerberos Token
Related Questions in FQDN
- Should I use the FQDN as the "domain" in Django's sites framework?
- Mimic FQDN on a home machine not on a domain
- Need to go from hostname to base domain
- LTE: how eNodeB selects a MME (FIRST attach)?
- MySQL Connection String Using FQDN
- Kerberos Fully qualified domain name
- differences between hostname and fully qualified domain name(FQDN)
- Setting up fully qualified domain name in Google Compute Instances
- Parsing several FQDNs from string
- Validate FQDN in C#
- Validate FQDN in C# using regex
- How to get fqdn of ip addresses in c#?
- ssl_error_rx_record_too_long - client and server SSL certs for the same IP
- Tomcat with 1-way and 2-way SSL
- Hostname of this host on the management network: Host name is not valid
Trending Questions
- UIImageView Frame Doesn't Reflect Constraints
- Is it possible to use adb commands to click on a view by finding its ID?
- How to create a new web character symbol recognizable by html/javascript?
- Why isn't my CSS3 animation smooth in Google Chrome (but very smooth on other browsers)?
- Heap Gives Page Fault
- Connect ffmpeg to Visual Studio 2008
- Both Object- and ValueAnimator jumps when Duration is set above API LvL 24
- How to avoid default initialization of objects in std::vector?
- second argument of the command line arguments in a format other than char** argv or char* argv[]
- How to improve efficiency of algorithm which generates next lexicographic permutation?
- Navigating to the another actvity app getting crash in android
- How to read the particular message format in android and store in sqlite database?
- Resetting inventory status after order is cancelled
- Efficiently compute powers of X in SSE/AVX
- Insert into an external database using ajax and php : POST 500 (Internal Server Error)
Popular Questions
- How do I undo the most recent local commits in Git?
- How can I remove a specific item from an array in JavaScript?
- How do I delete a Git branch locally and remotely?
- Find all files containing a specific text (string) on Linux?
- How do I revert a Git repository to a previous commit?
- How do I create an HTML button that acts like a link?
- How do I check out a remote Git branch?
- How do I force "git pull" to overwrite local files?
- How do I list all files of a directory?
- How to check whether a string contains a substring in JavaScript?
- How do I redirect to another webpage?
- How can I iterate over rows in a Pandas DataFrame?
- How do I convert a String to an int in Java?
- Does Python have a string 'contains' substring method?
- How do I check if a string contains a specific word?
It's not exactly a risk in the security sense, but it will create much confusion in configuring various clients and servers.
Kerberos depends on the ability of the client and server to agree on the service name to be used by some process that is outside the kerberos protocol. In other words if I want to use kerberos telnet to some host, I need to know in advance what service principal that host is using in it's /etc/krb5.keytab. There is no way in the kerberos protocol for the client to learn this.
By default kerberos clients usually do a gethostbyname, then gethostbyaddr on the ip address returned and then use that hostname to construct a service principal. This is where you will run into problems. You might try turning off DNS canonicalization altogether ( it's an option in krb5.conf ).
There is also the problem of default realm based on hostname, but that's a much simpler one to solve using values in /etc/krb5.conf.