Re: Clarifications sought on Kerberos SA: TGS_REQ and Server Auth??

Wed, 07 Dec 2005 03:43:45 -0800 


Surendra Babu A wrote:

Hi Kerberos Team,

Could you please let me know your thoughts on the following questions? Thank a 
lot in advance,


1. While forming the TGS-REQ pkt, I need to send the Server name with that TGS_REQ packet. For 


this reason, I need to use krb5_parse_name(). second Parameter for this API is 
a Server Principal.

Should I need to send a qualified Hostname with that?

As long as the server and the client agree on what is in the name, and the 
principal
is regstered in the KDC, and the server has a copy of the key, it can work.

Servers usually have a two component name and the realm: <service>/<fqdn of 
host>@<realm>
and many of the Kerberos routines assist in making sure the host is converted 
to a fqdn.

You could have more components, DCE had some three component names.

You could use IP addresses, but IP addresses don't real identify a host, they
identify an interface. Hosts with multiple interfaces, VPNs, and NAT can
make this dificult. IP numbers change, so the client, server and KDC all need
to be updated. And what will you do about IPV6 addresses in a principal?

Use names if you can, DNS or even names are in pre distributed /etc/hosts
files.


 That means, we should know the Host NAme of

the server? Without knowing the HOst Name of the Application Server (i.e. If we 
know only IP Address),

can't we form the TGS_REQ packet and get the successful response TGS-REP?? I 
tyried with IP Address in

Principal. But it was not successding. COuld you please let me know your 
thoughts?






2. For Server Authentication feature: if the Application Server is a Kerberised ESMTP server, how it 


should proceed? After sending the Service ticket to ESMTP server, what should 
happen? Could you please

let me know the Client and Applciation Server handshake and transfer machanism 
till Server Authentication

feature happens?

Rather then using raw Kerberos, can you use gssapi? Gss addresses many of these 
issues.





Please let me know your thoughts. 


Thank you,
-Surendra
________________________________________________
Kerberos mailing list           [email protected]
https://mailman.mit.edu/mailman/listinfo/kerberos




--

 Douglas E. Engert  <[EMAIL PROTECTED]>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439
 (630) 252-5444
________________________________________________
Kerberos mailing list           [email protected]
https://mailman.mit.edu/mailman/listinfo/kerberos






















					Reply via email to