From owner-freebsd-security Thu Jul 27 12:16:25 2000 Delivered-To: freebsd-security@freebsd.org Received: from evelake.pdl.cs.cmu.edu (EVELAKE.PDL.CS.CMU.EDU [128.2.189.75]) by hub.freebsd.org (Postfix) with SMTP id 55A2937B5C5 for ; Thu, 27 Jul 2000 12:16:21 -0700 (PDT) (envelope-from magus+@evelake.pdl.cs.cmu.edu) To: Damien Tougas Cc: freebsd-security@freebsd.org Subject: Re: Kerberos and DHCP References: <20000727144100.A30282@tougas.net> From: Nat Lanza Date: 27 Jul 2000 15:16:01 -0400 In-Reply-To: Damien Tougas's message of "Thu, 27 Jul 2000 14:41:01 -0400" Message-ID: Lines: 42 User-Agent: Gnus/5.0802 (Gnus v5.8.2) XEmacs/20.4 (Emerald) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Damien Tougas writes: > I don't know alot about kerberos, and was wondering if someone could > answer a question for me. It is my understanding that kerberos depends > on a host key for autentication, and that the host key is tied to the > hostname of the client. If that is the case, how is it possible to use > kerberos with a client computer that connects via dhcp? I think you're confusing "uses DHCP" with "does not have a static IP address". It's definitely possible to configure DHCP such that a machine will always be given the same IP address. CMU does this; when I plug my wavelan card into my laptop, it will always be 'pellerin.wv.cc.cmu.edu', even though it's using DHCP. The difficulty with kerberos is dynamic addresses, and even that is only a problem in some cases. You need a host key if you want to authenticate the host -- for example, a kerberized ssh connection to host foo.cs.cmu.edu wants to make sure that the entity claiming to be foo.cs.cmu.edu really is the real foo.cs.cmu.edu and not an impostor, so it uses foo's host key. If you just want to use the machine for outbound connections, where you're more interested in authenticating the user than the host, then you don't really need a host key. My laptop exists on three networks (as pellerin.pdl.cs.cmu.edu, pellerin.wv.cc.cmu.edu, and pellerin.rem.cmu.edu), depending on where I am. I don't have a host key on it, and I can still make outbound kerberized ssh and telnet connections, authenticate to AFS, and run various kerberos-aware tools like zephyr in all three networks without problems. So basically you only really need to care about a host key when the machine is a server. If you only have a dynamic address for the machine, then it's unlikely that you want to use it as a server, so you're fine. --nat -- nat lanza --------------------- research programmer, parallel data lab, cmu scs magus@cs.cmu.edu -------------------------------- http://www.cs.cmu.edu/~magus/ there are no whole truths; all truths are half-truths -- alfred north whitehead To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message