questions about pre-auth

[Jeffrey Altman]

Johannes russek wrote:

> hi there
> i'd like to allow my users access to a kerberized service from anywhere in
> the internet. to use it even more secure, i'd like to require pre-auth, so i
> have control over the client machines.
> now my question: is the hostname part in the client-machines host/foo at REALM
> ticket as sensitive as server-machine host ticket hostnames are? am i only
> able to use pre-auth for machines, that have static hostnames?
> what about dynamic hostnames for mobile users for example?
> best regards, johannes russek

When accessing a service, pre-authentication is not used to obtain the 
service principal.  The user principal has already been authenticated 
before the service ticket request is made to the KDC.

Pre-authentication would only be needed for a "host/fqdn" service 
principal if the machine itself were going to obtain a TGT for itself
in order for it to authenticate to some other service.

Somehow I think you were trying to ask a different question.  I think
you were trying to ask "must the DNS name of the machine match the fqdn
specified in the "host/fqdn" principal assigned to the machine?"
The answer is not necessarily but for all practical purposes 'yes'.
The client must be able to determine the fqdn of the machine in order
to request a "host/fqdn" service ticket.  The service running on the
machine must know its fqdn in order to be able to read the appropriate
keytab entry for itself.

Typically, you would use dynamic DNS to update a commonly known entry
for the machine with its IP address.  When using Active Directory or
Lucent's QIP DNS service, this dynamic update can be machine 
authenticated using GSSAPI Kerberos 5.  In this case, the machine would
know its own name, obtain a TGT, authenticate to the DNS service and
publish its new IP address for the world to see.

Jeffrey Altman


-- 
-----------------
This e-mail account is not read on a regular basis.
Please send private responses to jaltman at mit dot edu