Greg Hudson ghudson at MIT.EDU
Thu Jan 27 16:31:59 EST 2011

On Wed, 2011-01-26 at 23:42 -0500, Victor Sudakov wrote:
> Do you mean that the server will look up in the keytab whatever
> principal the client has sent?

That depends on how the server code invokes the relevant library
routines.  The caller can provide a principal name (or a GSSAPI name
which is mapped onto a principal name), in which case only service
tickets for that principal will be accepted.  If the server does not
provide a principal name, then any service principal in the keytab will
be accepted.

OpenSSH, for instance, will typically only accept the service principal
host/localhostname at DEFAULTREALM in the default configuration.  However,
if you set GSSStrictAcceptorCheck no (this requires Simon's patch, which
is included in most OS packagings of OpenSSH), then any service
principal in the keytab will be accepted.

> So if I want a different principal
> name, I should configure the client rather than the server?

Typically clients do not allow configuration of this principal name, but
yes, you'd have to somehow convince the client as well as possibly the

More information about the Kerberos mailing list