>This is a *bad* idea.
>
>This introduces a vulnerability to name-server based spoofing.

How is this less secure than the usual problems with DNS?

>I would strongly suggest that you print the server principal name you
>actually end up using if the client pulls this stunt..

It does print the host name.  You would suggest printing, for example,
rcmd.isua2@IASTATE.EDU for the user?

explorer@packrat:~> telnet -ax isua
Trying 129.186.1.133...
Connected to isua2.iastate.edu.
Escape character is '^]'.
[ Trying KERBEROS4 ... ]
[ Kerberos V4 accepts you ]
[ Kerberos V4 challenge successful ]


--Michael

--
Michael Graff <explorer@flame.org>        NetBSD is the way to go!
PGP key on a key-server near you!         Netshade the world!
	Censorship is as pointless as a football bat.