[27184] in Kerberos
Re: 'host' principals
daemon@ATHENA.MIT.EDU (Jeff Blaine)
Mon Jan 8 23:38:27 2007
Message-ID: <45A31C08.50907@kickflop.net>
Date: Mon, 08 Jan 2007 23:37:28 -0500
From: Jeff Blaine <jblaine@kickflop.net>
MIME-Version: 1.0
To: Ken Hornstein <kenh@cmf.nrl.navy.mil>
In-Reply-To: <200701090312.l093CFgL022435@ginger.cmf.nrl.navy.mil>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Excellent explanation, Ken. I don't feel stupid at all
for asking my question now that I see it's not as obvious
as I thought it would be.
I'm glad I asked.
Ken Hornstein wrote:
>> What's the criteria host-principal-used-or-not is based on
>> for various apps? There has to be some sort of criteria
>> I am not privvy to or maybe a documented list of common
>> apps and what they require?
>
> The base Kerberos protocol specification doesn't talk about naming,
> because naming ends up being a hard problem. So what we have is a
> series of conventions that have grown up over time, and in some
> cases have been codified into protocol descriptions, but in general
> there is no formal criteria. The only thing that _really_ matters
> is that the client and server agree on the service principal to use.
>
> I think most people would agree that "host" should be used for the
> traditional "logging into a remote system" type of things that Unix
> users are used to. So, the common uses of "host" that I know about
> are Kerberos telnet, Kerberos rlogin/rsh, and ssh (Ken already
> described how ftp is an exception).
>
> Looking at these in turn, Kerberos telnet, rlogin, and rsh used the
> convention coming from Kerberos 4 (where "host" was called "rcmd").
> So I guess to really get an answer about that, you'd have to talk to
> the people who made that call for Kerberos 4 (some of them are probably
> still here). If someone made a new protocol that acted like Kerberos
> telnet or ssh, it would probably make sense to use "host" for that.
>
> The RFCs for Kerberos telnet and Kerberos ssh specify that you should
> use "host". There are no formal protocol descriptions for the BSD
> r-protocols.
>
> For other IETF protocols, what is generally done is a specific
> service name is specified in the protocol description (well, most
> of the time a specific GSSAPI target name is given, which ends up
> being an Kerberos service principal). In the case of SASL-ified
> protocols, this is part of a protocols SASL profile, and the protocol
> designer(s) pick that name. So for POP we have "pop", for IMAP we
> have "imap", for SMTP AUTH we have "smtp", and so on. So really, it's
> not application-specific, it's protocol-specific.
>
> In the case of non-IETF protocols ... well, again, that's up to the
> protocol designer. I modified Paul Vixie's "rtty" to use Kerberos
> authentication, and in that case I used the service name "console".
> We Kerberized VNC here, and I believe the person who did that work
> choose "vncviewer" as the service name. I could have choose
> "britneyspears" as the service name, and that would have been fine
> as long as the client and server agreed (generally, we try to pick
> a service name that is meaningful so administrators have an idea what
> a particular service principal is for).
>
> So, there is no centralized list, but it's specified in each protocol.
>
> --Ken
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
