Keberos with Mac OS X (10.2)
vorlon at dodds.net
Tue Sep 17 15:04:38 EDT 2002
On Tue, Sep 17, 2002 at 11:44:14AM -0700, timothy perfitt wrote:
> My question is this: does the name of a service, ie ftpd, have to be
> part of the principal name of the service (ie
> ftpd/somehost.foo.com at FOO.COM)?
This is application-specific. Some use host/fqdn as their service
principal; some use an app-specific principal; some have configurable
behavior. What ftp server are you using?
> Do I even need a service key in krb5.keytab on the server?
You need to have one in *some* keytab on the server. Unless otherwise
configured, this should be krb5.keytab.
> My understanding is that Kerberos provides assurance that a specific
> user on a specific host is authorized to connect to a specific server.
Um... no. Kerberos *authenticates* users, so that the server has
assurance of the client's identity. It says nothing about what access
they should be granted (authorization), just determines who they are
More information about the Kerberos