Keberos with Mac OS X (10.2)
Steve Langasek
vorlon at dodds.net
Tue Sep 17 15:04:38 EDT 2002
On Tue, Sep 17, 2002 at 11:44:14AM -0700, timothy perfitt wrote:
> My question is this: does the name of a service, ie ftpd, have to be
> part of the principal name of the service (ie
> ftpd/somehost.foo.com at FOO.COM)?
This is application-specific. Some use host/fqdn as their service
principal; some use an app-specific principal; some have configurable
behavior. What ftp server are you using?
> Do I even need a service key in krb5.keytab on the server?
You need to have one in *some* keytab on the server. Unless otherwise
configured, this should be krb5.keytab.
> My understanding is that Kerberos provides assurance that a specific
> user on a specific host is authorized to connect to a specific server.
Um... no. Kerberos *authenticates* users, so that the server has
assurance of the client's identity. It says nothing about what access
they should be granted (authorization), just determines who they are
(authentication).
Steve Langasek
postmodern programmer
More information about the Kerberos
mailing list