'host' principals

Ken Hornstein kenh at cmf.nrl.navy.mil
Mon Jan 8 22:12:15 EST 2007 

>What's the criteria host-principal-used-or-not is based on
>for various apps?  There has to be some sort of criteria
>I am not privvy to or maybe a documented list of common
>apps and what they require?

The base Kerberos protocol specification doesn't talk about naming,
because naming ends up being a hard problem.  So what we have is a
series of conventions that have grown up over time, and in some
cases have been codified into protocol descriptions, but in general
there is no formal criteria.  The only thing that _really_ matters
is that the client and server agree on the service principal to use.

I think most people would agree that "host" should be used for the
traditional "logging into a remote system" type of things that Unix
users are used to.  So, the common uses of "host" that I know about
are Kerberos telnet, Kerberos rlogin/rsh, and ssh (Ken already
described how ftp is an exception).

Looking at these in turn, Kerberos telnet, rlogin, and rsh used the
convention coming from Kerberos 4 (where "host" was called "rcmd").
So I guess to really get an answer about that, you'd have to talk to
the people who made that call for Kerberos 4 (some of them are probably
still here).  If someone made a new protocol that acted like Kerberos
telnet or ssh, it would probably make sense to use "host" for that.

The RFCs for Kerberos telnet and Kerberos ssh specify that you should
use "host".  There are no formal protocol descriptions for the BSD
r-protocols.

For other IETF protocols, what is generally done is a specific
service name is specified in the protocol description (well, most
of the time a specific GSSAPI target name is given, which ends up
being an Kerberos service principal).  In the case of SASL-ified
protocols, this is part of a protocols SASL profile, and the protocol
designer(s) pick that name.  So for POP we have "pop", for IMAP we
have "imap", for SMTP AUTH we have "smtp", and so on.  So really, it's
not application-specific, it's protocol-specific.

In the case of non-IETF protocols ... well, again, that's up to the
protocol designer.  I modified Paul Vixie's "rtty" to use Kerberos
authentication, and in that case I used the service name "console".
We Kerberized VNC here, and I believe the person who did that work
choose "vncviewer" as the service name.  I could have choose
"britneyspears" as the service name, and that would have been fine
as long as the client and server agreed (generally, we try to pick
a service name that is meaningful so administrators have an idea what
a particular service principal is for).

So, there is no centralized list, but it's specified in each protocol.

--Ken

More information about the Kerberos mailing list