principal for ftp service ---> Can I use anything other thanftp/fqdn@REALM ?

Markus Moeller huaraz at moeller.plus.com
Sat Apr 22 10:07:25 EDT 2006 

Sandy,
the ftp gsapi security extension is defined in rfc2228 and requires 
ftp at hostname or host at hostname for the gssapi context which translates to a 
ftp/fqdn at REALM or host/fwdn at REALM Kerberos SPN:

   The client must begin the authentication exchange by calling
   GSS_Init_Sec_Context, passing in 0 for input_context_handle
   (initially), and a targ_name equal to output_name from
   GSS_Import_Name called with input_name_type of Host-Based Service and
   input_name_string of "ftp at hostname" where "hostname" is the fully
   qualified host name of the server with all letters in lower case.
   (Failing this, the client may try again using input_name_string of
   "host at hostname".) The output_token must then be base 64 encoded and
   sent to the server as the argument to an ADAT command.  If
   GSS_Init_Sec_Context returns GSS_S_CONTINUE_NEEDED, then the client
   must expect a token to be returned in the reply to the ADAT command.
   This token must subsequently be passed to another call to
   GSS_Init_Sec_Context.  In this case, if GSS_Init_Sec_Context returns
   no output_token, then the reply code from the server for the previous
   ADAT command must have been 235.  If GSS_Init_Sec_Context returns
   GSS_S_COMPLETE, then no further tokens are expected from the server,
   and the client must consider the server authenticated.

You can use anything you want for your own client-server application.

Regards
Markus

<sandypossible at gmail.com> wrote in message 
news:1145684713.756954.268350 at v46g2000cwv.googlegroups.com...
> Hi all,
>
> I have a query regarding the usage of the kerberos pricipals of the
> format "<service>/<FQDN>@<REALM>". My question is can I use any other
> principal format other than <service>/<FQDN>@<REALM> ? The
> <service>/<FQDN>@<REALM> is the common convention used.
>
> Giving an example, say for example, I am using a kerborized ftp
> application. As of now, the keytab entries , the service entry on KDC
> are having the ftp principal of the foramt, ftp/fqdn at REALM. I am able
> to successfully do ftp connection using kerberos.
>
> My requirement is to avoid use of fqdn. Can I do it ? can I use
> principal of my convenience ? I have noticed that when I start ftp
> client, by default it tries to get TGS of the form ftp/fqdn at REALM. If I
> have different entry for ftp service in the KDC, this will definitely
> fail. So does this requirement requires changes in ftp server code and
> client code ?
>
> 1) First of all can I do this way ( using ftp principal other than the
> standard method of using fqdn )
>
> 2) Could anybody please tell me what are the issues involved here ?
>
> 3) Issues involved when all the systems in the realm are non windows
> machines
>
> 4) interoperability issues like when I use ftp server on linux and try
> to connect to it from windows machine.
>
> Regards,
> Sandy.
>
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>

More information about the Kerberos mailing list