Kerberos, POP3

Jeffrey Hutzelman jhutz at
Mon Feb 21 13:52:20 EST 2005

On Saturday, February 19, 2005 10:48:44 PM -0600 Mukul Sabharwal 
<mukul at> wrote:

> Hello,
> I had a few questions, which are puzzling me, and not many resources (at
> least none I could find seemed to answer the question in a way I could
> understand!)
> My understanding:
>> Client talks to Authentication Server (AS) Authentication Server talks
>> back to Client
> The above communication I think seems to be
> bash$: kinit user
> password for ...


> I have a TGT now. This is about all I can fairly grasp. Beyond this point,
> many resources say, that the client sends the service name or whatever to
> the Auth Server, seems confusing.
> Now that I have a TGT, what really happens, is the program (ktelnet, or
> rlogin for example suppose to do something, like talk to a Ticket Getting
> Service??)

Yes, that's exactly what happens.

Your application must first determine the correct principal name for the 
service it wants to talk to (this is based on the protocol specification 
and on information provided by the user; it can't be provided by the 
server).  In most cases this will consist of a part specifying the type of 
service you want to talk to, and a part specifying the host on which that 
service runs.  You will also need to determine the name of the correct 
Kerberos realm, which is usually based on the server hostname and some 
local configuration.  For example, if you are connecting to a Kerberized 
POP server on the host, the correct service principal will 

  pop/ at EXAMPLE.COM

In general, your Kerberos libraries will provide a function which does all 
of the hard work here.  For example, the MIT Kerberos libraries provide a 
function krb5_sname_to_principal, which takes a service name like "pop" and 
a hostname and gives you back a krb5_principal object suitable for use in 
later calls to the library.

Next your program will need to talk to the Ticket-Granting Service (TGS) to 
obtain a ticket for that service.  This is normally done automatically for 
you by the Kerberos library, whenever you use krb5_mk_req or krb5_sendauth 
to attempt to authenticate to a service for which you do not already have a 
cached ticket.

-- Jeffrey T. Hutzelman (N3NHS) <jhutz+ at>
   Sr. Research Systems Programmer
   School of Computer Science - Research Computing Facility
   Carnegie Mellon University - Pittsburgh, PA

More information about the Kerberos mailing list