principal selection

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

principal selection

Victor Sudakov
I hope this list is not dead? Because I have another question.

If a kerberized server has several keys in its keytab, probably with
different FQDNs, realms, principal names etc, how does it select which
one to use? What's the selection process?

E.g. to figure out which principal to use, does it look at

1. The value of `hostname`
2. The value of $HOST
3. The result of a reverse DNS lookup (which interface?)
4. Config file
5. Tries all available keys
6. ???

If the selection process is documented somewhere, please give a link.

Thanks a lot in advance.

--
Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
sip:[hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: principal selection

Markus Moeller
Hi Viktor,

   It depends on what is programmed in the application.   For squid I
programmed it that the default is to use the hostname.  The only important
information which is not controlled by the application is the kvno value.
Each key has usually a version number (which usually corresponds to a
password change of the account).

  If you do not use GSS_C_NO_NAME all of these must match: kvno, service,
host name(if provided) and  realm.
  If you use GSS_C_NO_NAME Kerberos will try one key after the other until
it finds a key which can decrypt the provided encrypted data structure.

Regards
Markus


"Victor Sudakov"  wrote in message
news:[hidden email]...

I hope this list is not dead? Because I have another question.

If a kerberized server has several keys in its keytab, probably with
different FQDNs, realms, principal names etc, how does it select which
one to use? What's the selection process?

E.g. to figure out which principal to use, does it look at

1. The value of `hostname`
2. The value of $HOST
3. The result of a reverse DNS lookup (which interface?)
4. Config file
5. Tries all available keys
6. ???

If the selection process is documented somewhere, please give a link.

Thanks a lot in advance.

--
Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
sip:[hidden email]


Reply | Threaded
Open this post in threaded view
|

Re: principal selection

Victor Sudakov
Markus Moeller wrote:

> > If a kerberized server has several keys in its keytab, probably with
> > different FQDNs, realms, principal names etc, how does it select which
> > one to use? What's the selection process?
> >
> > E.g. to figure out which principal to use, does it look at
> >
> > 1. The value of `hostname`
> > 2. The value of $HOST
> > 3. The result of a reverse DNS lookup (which interface?)
> > 4. Config file
> > 5. Tries all available keys
> > 6. ???

>
>    It depends on what is programmed in the application.   For squid I
> programmed it that the default is to use the hostname.  

which you have chosen to obtain from some mysterious gethost_name().
What is this function and how does it obtain the hostname? Anything
from the above list?

I know only gethostname() which is standard and relies upon the manual
setting of the hostname.

> The only important
> information which is not controlled by the application is the kvno value.
> Each key has usually a version number (which usually corresponds to a
> password change of the account).
>
>   If you do not use GSS_C_NO_NAME all of these must match: kvno, service,
> host name(if provided) and  realm.
>   If you use GSS_C_NO_NAME Kerberos will try one key after the other until
> it finds a key which can decrypt the provided encrypted data structure.

Do you mean to say that is should also try the keys without the
service part, like [hidden email] ?


--
Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
sip:[hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: principal selection

Markus Moeller
Look into the code it is defined in the same source.

Markus

"Victor Sudakov"  wrote in message
news:[hidden email]...

Markus Moeller wrote:

> > If a kerberized server has several keys in its keytab, probably with
> > different FQDNs, realms, principal names etc, how does it select which
> > one to use? What's the selection process?
> >
> > E.g. to figure out which principal to use, does it look at
> >
> > 1. The value of `hostname`
> > 2. The value of $HOST
> > 3. The result of a reverse DNS lookup (which interface?)
> > 4. Config file
> > 5. Tries all available keys
> > 6. ???

>
>    It depends on what is programmed in the application.   For squid I
> programmed it that the default is to use the hostname.

which you have chosen to obtain from some mysterious gethost_name().
What is this function and how does it obtain the hostname? Anything
from the above list?

I know only gethostname() which is standard and relies upon the manual
setting of the hostname.

> The only important
> information which is not controlled by the application is the kvno value.
> Each key has usually a version number (which usually corresponds to a
> password change of the account).
>
>   If you do not use GSS_C_NO_NAME all of these must match: kvno, service,
> host name(if provided) and  realm.
>   If you use GSS_C_NO_NAME Kerberos will try one key after the other until
> it finds a key which can decrypt the provided encrypted data structure.

Do you mean to say that is should also try the keys without the
service part, like [hidden email] ?


--
Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
sip:[hidden email]