[33145] in Kerberos
Re: acceptor
daemon@ATHENA.MIT.EDU (Greg Hudson)
Wed Jan 26 12:54:25 2011
From: Greg Hudson <ghudson@mit.edu>
To: Victor Sudakov <vas@mpeks.no-spam-here.tomsk.su>
In-Reply-To: <iho77m$1etd$1@relay.tomsk.ru>
Date: Wed, 26 Jan 2011 12:54:18 -0500
Message-ID: <1296064458.2456.569.camel@ray>
Mime-Version: 1.0
Cc: "kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Tue, 2011-01-25 at 23:16 -0500, Victor Sudakov wrote:
> Colleagues,
>
> Is there a generic way for a kerberized server to configure which
> acceptor principal it will use from the keytab? Why is it so that e.g.
> sshd uses a "host/foo" principal while svnserve uses a "svn/foo" principal?
> Is it configured somewhere or hardcoded in the source? What if I
> wanted sshd to use a "ssh/foo" principal?
The choice of service principal is primarily made by the client.
Typically the first component is determined by the application protocol.
Servers can also designate a principal name, but they have no control
over the principal name used by the client. Because it's not easy to
know the hostname of the service principal chosen by the client in many
scenarios, server implementations are tending in the direction of
accepting requests for any service principal in the keytab. If a server
does designate a principal name, there's no generic configuration
mechanism; it's up to the server code.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
