Is a Kerberos principal always a DNS name?

John Hascall john at
Thu Apr 24 23:23:14 EDT 2008

> If we take for example an sshd server on a typical Unix host, how does
> it figure out its own principal name? Suppose it has keys for
> multiple principals in the keytab, which one would it choose?

I can't speak for how sshd does it, but the way it should
be done is that the server leaves the 'server' arg to
krb5_rd_req (or krb5_recvauth) unspecified then the library
code will grab the name of the server principal out of
the request.  Then upon successful return the server
can check that the principal used was acceptable to it.


More information about the Kerberos mailing list