Kerberos, POP3
Jeffrey Hutzelman
jhutz at cmu.edu
Mon Feb 21 13:52:20 EST 2005
On Saturday, February 19, 2005 10:48:44 PM -0600 Mukul Sabharwal
<mukul at iastate.edu> wrote:
> Hello,
>
> I had a few questions, which are puzzling me, and not many resources (at
> least none I could find seemed to answer the question in a way I could
> understand!)
>
> My understanding:
>
>> Client talks to Authentication Server (AS) Authentication Server talks
>> back to Client
>
> The above communication I think seems to be
>
> bash$: kinit user
> password for ...
Correct.
>
> I have a TGT now. This is about all I can fairly grasp. Beyond this point,
> many resources say, that the client sends the service name or whatever to
> the Auth Server, seems confusing.
>
> Now that I have a TGT, what really happens, is the program (ktelnet, or
> rlogin for example suppose to do something, like talk to a Ticket Getting
> Service??)
Yes, that's exactly what happens.
Your application must first determine the correct principal name for the
service it wants to talk to (this is based on the protocol specification
and on information provided by the user; it can't be provided by the
server). In most cases this will consist of a part specifying the type of
service you want to talk to, and a part specifying the host on which that
service runs. You will also need to determine the name of the correct
Kerberos realm, which is usually based on the server hostname and some
local configuration. For example, if you are connecting to a Kerberized
POP server on the host foo.example.com, the correct service principal will
be
pop/foo.example.com at EXAMPLE.COM
In general, your Kerberos libraries will provide a function which does all
of the hard work here. For example, the MIT Kerberos libraries provide a
function krb5_sname_to_principal, which takes a service name like "pop" and
a hostname and gives you back a krb5_principal object suitable for use in
later calls to the library.
Next your program will need to talk to the Ticket-Granting Service (TGS) to
obtain a ticket for that service. This is normally done automatically for
you by the Kerberos library, whenever you use krb5_mk_req or krb5_sendauth
to attempt to authenticate to a service for which you do not already have a
cached ticket.
-- Jeffrey T. Hutzelman (N3NHS) <jhutz+ at cmu.edu>
Sr. Research Systems Programmer
School of Computer Science - Research Computing Facility
Carnegie Mellon University - Pittsburgh, PA
More information about the Kerberos
mailing list