On Tue, Sep 17, 2002 at 11:44:14AM -0700, timothy perfitt wrote: > My question is this: does the name of a service, ie ftpd, have to be > part of the principal name of the service (ie > [EMAIL PROTECTED])?
This is application-specific. Some use host/fqdn as their service principal; some use an app-specific principal; some have configurable behavior. What ftp server are you using? > Do I even need a service key in krb5.keytab on the server? You need to have one in *some* keytab on the server. Unless otherwise configured, this should be krb5.keytab. > My understanding is that Kerberos provides assurance that a specific > user on a specific host is authorized to connect to a specific server. Um... no. Kerberos *authenticates* users, so that the server has assurance of the client's identity. It says nothing about what access they should be granted (authorization), just determines who they are (authentication). Steve Langasek postmodern programmer ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] http://mailman.mit.edu/mailman/listinfo/kerberos
