Keberos with Mac OS X (10.2)

Steve Langasek vorlon at
Tue Sep 17 15:04:38 EDT 2002

On Tue, Sep 17, 2002 at 11:44:14AM -0700, timothy perfitt wrote:

> My question is this:  does the name of a service, ie ftpd, have to be 
> part of the principal name of the service (ie 
> ftpd/ at FOO.COM)?

This is application-specific.  Some use host/fqdn as their service
principal; some use an app-specific principal; some have configurable
behavior.  What ftp server are you using?

> Do I even need a service key in krb5.keytab on the server? 

You need to have one in *some* keytab on the server.  Unless otherwise 
configured, this should be krb5.keytab.

> My understanding is that Kerberos provides assurance that a specific
> user on a specific host is authorized to connect to a specific server.

Um... no.  Kerberos *authenticates* users, so that the server has
assurance of the client's identity.  It says nothing about what access
they should be granted (authorization), just determines who they are

Steve Langasek
postmodern programmer

More information about the Kerberos mailing list