'host' principals

Jeff Blaine jblaine at kickflop.net
Mon Jan 8 23:37:28 EST 2007


Excellent explanation, Ken.  I don't feel stupid at all
for asking my question now that I see it's not as obvious
as I thought it would be.

I'm glad I asked.

Ken Hornstein wrote:
>> What's the criteria host-principal-used-or-not is based on
>> for various apps?  There has to be some sort of criteria
>> I am not privvy to or maybe a documented list of common
>> apps and what they require?
> 
> The base Kerberos protocol specification doesn't talk about naming,
> because naming ends up being a hard problem.  So what we have is a
> series of conventions that have grown up over time, and in some
> cases have been codified into protocol descriptions, but in general
> there is no formal criteria.  The only thing that _really_ matters
> is that the client and server agree on the service principal to use.
> 
> I think most people would agree that "host" should be used for the
> traditional "logging into a remote system" type of things that Unix
> users are used to.  So, the common uses of "host" that I know about
> are Kerberos telnet, Kerberos rlogin/rsh, and ssh (Ken already
> described how ftp is an exception).
> 
> Looking at these in turn, Kerberos telnet, rlogin, and rsh used the
> convention coming from Kerberos 4 (where "host" was called "rcmd").
> So I guess to really get an answer about that, you'd have to talk to
> the people who made that call for Kerberos 4 (some of them are probably
> still here).  If someone made a new protocol that acted like Kerberos
> telnet or ssh, it would probably make sense to use "host" for that.
> 
> The RFCs for Kerberos telnet and Kerberos ssh specify that you should
> use "host".  There are no formal protocol descriptions for the BSD
> r-protocols.
> 
> For other IETF protocols, what is generally done is a specific
> service name is specified in the protocol description (well, most
> of the time a specific GSSAPI target name is given, which ends up
> being an Kerberos service principal).  In the case of SASL-ified
> protocols, this is part of a protocols SASL profile, and the protocol
> designer(s) pick that name.  So for POP we have "pop", for IMAP we
> have "imap", for SMTP AUTH we have "smtp", and so on.  So really, it's
> not application-specific, it's protocol-specific.
> 
> In the case of non-IETF protocols ... well, again, that's up to the
> protocol designer.  I modified Paul Vixie's "rtty" to use Kerberos
> authentication, and in that case I used the service name "console".
> We Kerberized VNC here, and I believe the person who did that work
> choose "vncviewer" as the service name.  I could have choose
> "britneyspears" as the service name, and that would have been fine
> as long as the client and server agreed (generally, we try to pick
> a service name that is meaningful so administrators have an idea what
> a particular service principal is for).
> 
> So, there is no centralized list, but it's specified in each protocol.
> 
> --Ken



More information about the Kerberos mailing list