'host' principals

Jeff Blaine jblaine at kickflop.net
Mon Jan 8 21:04:17 EST 2007


Ken Raeburn wrote:
> On Jan 8, 2007, at 20:45, Jeff Blaine wrote:
>> It's my understanding that any Kerberos application server
>> (let's say we're going to offer FTP service) needs to have
>> a host principal for the FTP server host *in addition to*
>> an ftp/whatever principal.  Why?  I am clearly failing to
>> remember something incredibly simple that is not spelled out
>> well in the docs.
> 
> The "host" principal is used for a collection of services generally 
> related to logging in to the server -- Kerberos rsh/rlogin and ssh, for 
> example.

Thanks Ken -

Yeah, it's that 'generally related to logging in' part
that throws me.

That at least answers my next question, which was going to be,
"What do I do for SSH?  I forget."

What's the criteria host-principal-used-or-not is based on
for various apps?  There has to be some sort of criteria
I am not privvy to or maybe a documented list of common
apps and what they require?

> As it happens, FTP is a special case.  The FTP spec for doing Kerberos 
> (actually, GSSAPI) authentication says to try authenticating using the 
> "ftp" service principal, but if that fails, ``the client may try again 
> using input_name_string of "host at hostname"'' (i.e., use the host 
> principal).  So for FTP, you need to have at least one of the two.
> 
> Ken



More information about the Kerberos mailing list