Host principals

Sam Hartman hartmans at MIT.EDU
Tue May 4 12:59:16 EDT 2004


>>>>> "Neulinger," == Neulinger, Nathan <nneul at umr.edu> writes:

    Neulinger,> Host principals are not for the host to authenticate,
    Neulinger,> it's for users to authenticate to that host. i.e. ssh
    Neulinger,> w/ gssapi, krb telnet, krb ftp, etc.

No, it is for both.

No, actually host principals serve three purposes:

1) The one Nathan mentions--authenticating to the host.

2) Verifying local logins to the host--even on the console.  This is
   really a subset of 1, but is important even for hosts that you
   don't want to ssh into.

3) For the host to authenticate as itself in order to connect to other
   services.  For example, you typically run backups and other
   host-based services like that authenticated as the host.


Note that purposes 2 and 3 only require the host have some principal,
not that the principal match the current hostname.

--Sam



More information about the Kerberos mailing list