Greg Hudson ghudson at MIT.EDU
Wed Jan 26 12:54:18 EST 2011

On Tue, 2011-01-25 at 23:16 -0500, Victor Sudakov wrote:
> Colleagues, 
> Is there a generic way for a kerberized server to configure which
> acceptor principal it will use from the keytab? Why is it so that e.g. 
> sshd uses a "host/foo" principal while svnserve uses a "svn/foo" principal?
> Is it configured somewhere or hardcoded in the source? What if I
> wanted sshd to use a "ssh/foo" principal?

The choice of service principal is primarily made by the client.
Typically the first component is determined by the application protocol.

Servers can also designate a principal name, but they have no control
over the principal name used by the client.  Because it's not easy to
know the hostname of the service principal chosen by the client in many
scenarios, server implementations are tending in the direction of
accepting requests for any service principal in the keytab.  If a server
does designate a principal name, there's no generic configuration
mechanism; it's up to the server code.

More information about the Kerberos mailing list