[29761] in Kerberos
Re: Is a Kerberos principal always a DNS name?
daemon@ATHENA.MIT.EDU (John Hascall)
Thu Apr 24 23:24:38 2008
To: kerberos@mit.edu
In-reply-to: Your message of Fri, 25 Apr 2008 02:07:32 -0000.
<fured4$vvq$3@relay.tomsk.ru>
Date: Thu, 24 Apr 2008 22:23:14 CDT
Message-ID: <24749.1209093794@malison.ait.iastate.edu>
From: John Hascall <john@iastate.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
> If we take for example an sshd server on a typical Unix host, how does
> it figure out its own principal name? Suppose it has keys for
> multiple principals in the keytab, which one would it choose?
I can't speak for how sshd does it, but the way it should
be done is that the server leaves the 'server' arg to
krb5_rd_req (or krb5_recvauth) unspecified then the library
code will grab the name of the server principal out of
the request. Then upon successful return the server
can check that the principal used was acceptable to it.
John
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
