[27181] in Kerberos
Re: 'host' principals
daemon@ATHENA.MIT.EDU (Ken Raeburn)
Mon Jan 8 20:57:03 2007
In-Reply-To: <45A2F3D3.2070908@kickflop.net>
Mime-Version: 1.0 (Apple Message framework v752.2)
Message-Id: <539B18AE-069C-4924-956F-8B20FCB8A96D@mit.edu>
From: Ken Raeburn <raeburn@mit.edu>
Date: Mon, 8 Jan 2007 20:56:30 -0500
To: Jeff Blaine <jblaine@kickflop.net>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Jan 8, 2007, at 20:45, Jeff Blaine wrote:
> It's my understanding that any Kerberos application server
> (let's say we're going to offer FTP service) needs to have
> a host principal for the FTP server host *in addition to*
> an ftp/whatever principal. Why? I am clearly failing to
> remember something incredibly simple that is not spelled out
> well in the docs.
The "host" principal is used for a collection of services generally
related to logging in to the server -- Kerberos rsh/rlogin and ssh,
for example.
As it happens, FTP is a special case. The FTP spec for doing
Kerberos (actually, GSSAPI) authentication says to try authenticating
using the "ftp" service principal, but if that fails, ``the client
may try again using input_name_string of "host@hostname"'' (i.e., use
the host principal). So for FTP, you need to have at least one of
the two.
Ken
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
