Is a Kerberos principal always a DNS name?
Simon Wilkinson
simon at sxw.org.uk
Sat Apr 26 05:28:57 EDT 2008
On 25 Apr 2008, at 04:23, John Hascall wrote:
>
>
>> If we take for example an sshd server on a typical Unix host, how
>> does
>> it figure out its own principal name? Suppose it has keys for
>> multiple principals in the keytab, which one would it choose?
>
> I can't speak for how sshd does it,
I can - certainly for OpenSSH.
If you're using out of the box OpenSSH, then it ties the acceptor
principal to being host/fqdn, where the FQDN is the fully qualified
domain name version of the machine's hostname.
With my patches, turning off the GSSAPIStrictAcceptorCheck option
will let it use any principal in the default keytab. SSH is a GSSAPI
protocol, so this is implemented at the GSSAPI, rather than kerberos,
API level (by using GSS_C_NO_CREDENTIALS for the server principal
when calling accept_sec_context). It doesn't currently do the final
step, of making sure that the chosen acceptors service name is
'host' - because there's no method exposed in the current GSSAPI
which will let you do so in a mechanism independent manner.
Simon.
More information about the Kerberos
mailing list