'host' principals
Ken Raeburn
raeburn at MIT.EDU
Mon Jan 8 20:56:30 EST 2007
On Jan 8, 2007, at 20:45, Jeff Blaine wrote:
> It's my understanding that any Kerberos application server
> (let's say we're going to offer FTP service) needs to have
> a host principal for the FTP server host *in addition to*
> an ftp/whatever principal. Why? I am clearly failing to
> remember something incredibly simple that is not spelled out
> well in the docs.
The "host" principal is used for a collection of services generally
related to logging in to the server -- Kerberos rsh/rlogin and ssh,
for example.
As it happens, FTP is a special case. The FTP spec for doing
Kerberos (actually, GSSAPI) authentication says to try authenticating
using the "ftp" service principal, but if that fails, ``the client
may try again using input_name_string of "host at hostname"'' (i.e., use
the host principal). So for FTP, you need to have at least one of
the two.
Ken
More information about the Kerberos
mailing list