'host' principals
Jeff Blaine
jblaine at kickflop.net
Mon Jan 8 21:04:17 EST 2007
Ken Raeburn wrote:
> On Jan 8, 2007, at 20:45, Jeff Blaine wrote:
>> It's my understanding that any Kerberos application server
>> (let's say we're going to offer FTP service) needs to have
>> a host principal for the FTP server host *in addition to*
>> an ftp/whatever principal. Why? I am clearly failing to
>> remember something incredibly simple that is not spelled out
>> well in the docs.
>
> The "host" principal is used for a collection of services generally
> related to logging in to the server -- Kerberos rsh/rlogin and ssh, for
> example.
Thanks Ken -
Yeah, it's that 'generally related to logging in' part
that throws me.
That at least answers my next question, which was going to be,
"What do I do for SSH? I forget."
What's the criteria host-principal-used-or-not is based on
for various apps? There has to be some sort of criteria
I am not privvy to or maybe a documented list of common
apps and what they require?
> As it happens, FTP is a special case. The FTP spec for doing Kerberos
> (actually, GSSAPI) authentication says to try authenticating using the
> "ftp" service principal, but if that fails, ``the client may try again
> using input_name_string of "host at hostname"'' (i.e., use the host
> principal). So for FTP, you need to have at least one of the two.
>
> Ken
More information about the Kerberos
mailing list