Is a Kerberos principal always a DNS name?

Simon Wilkinson simon at
Sat Apr 26 05:28:57 EDT 2008

On 25 Apr 2008, at 04:23, John Hascall wrote:
>> If we take for example an sshd server on a typical Unix host, how  
>> does
>> it figure out its own principal name? Suppose it has keys for
>> multiple principals in the keytab, which one would it choose?
> I can't speak for how sshd does it,

I can - certainly for OpenSSH.

If you're using out of the box OpenSSH, then it ties the acceptor  
principal to being host/fqdn, where the FQDN is the fully qualified  
domain name version of the machine's hostname.

With my patches, turning off the GSSAPIStrictAcceptorCheck option  
will let it use any principal in the default keytab. SSH is a GSSAPI  
protocol, so this is implemented at the GSSAPI, rather than kerberos,  
API level (by using GSS_C_NO_CREDENTIALS for the server principal  
when calling accept_sec_context). It doesn't currently do the final  
step, of making sure that the chosen acceptors  service name is  
'host' - because there's no method exposed in the current GSSAPI  
which will let you do so in a mechanism independent manner.


More information about the Kerberos mailing list