| From: | Stephen Frost <sfrost(at)snowman(dot)net> |
|---|---|
| To: | Bryan Montgomery <monty(at)english(dot)net> |
| Cc: | pgsql-general <pgsql-general(at)postgresql(dot)org> |
| Subject: | Re: GSS Authentication |
| Date: | 2010-06-12 12:19:34 |
| Message-ID: | 20100612121933.GW21875@tamriel.snowman.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
Bryan,
* Bryan Montgomery (monty(at)english(dot)net) wrote:
> On Sat, Jun 12, 2010 at 12:58 AM, Stephen Frost <sfrost(at)snowman(dot)net> wrote:
> Can you elaborate on the DNS requirements? How would I check the reverse
> DNS? I assume just pinging both server by hostname?
Kerberos depends on reverse DNS. Reverse DNS is IP Address -> DNS Name
(rather than forward/regular DNS, which is Name -> IP). Specifically,
when a Kerberos client connects to a server, it will take the IP address
of the host it connected to and try to find the name, it will then use
*that* name to determine what ticket to request from the KDC.
Realm: EXAMPLE.COM
Client system: client.example.com
Client IP 10.10.10.1
Server system: server.example.com
Server IP: 10.10.10.20
Client connects to server and looks up "10.10.10.20" to find out the
server's name is "server.example.com", it will then ask the KDC for
a "postgres/server(dot)example(dot)com(at)EXAMPLE(dot)COM" ticket. This allows the
server to have other aliases (eg: database.example.com) and for the
client to use that alias to connect to, but then only need 1 principal
(the server.example.com) in the KDC.
Thanks,
Stephen
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Stephen Frost | 2010-06-12 12:35:13 | Re: GSS Authentication |
| Previous Message | Bryan Montgomery | 2010-06-12 12:05:56 | Re: GSS Authentication |