Dear Team, Thanks a lot for the response.
Issue#1. Regarding Hostname in Server Pricipal: So it is better to use the hostname in the prinicpal. So for Server Authentication, HOst name should be known. Right? Without knowing the Hostname, it is diffifcult to resolve the Server Authentication. Right? Additionally, Application Server side, should we configure the KDC server IP address? I think It is not required. Because we are alreadys ending the Server Pricipal in TGS-REQ. Right? Conclusion: To enjoy the benefit of Server Authentication of Kerberos, User should enter the Hostname of Applciation Server. Right? Issue#2: Regarding GSSAPI. My assumption is, if ESMTP supports Kerberos, then it will give AUTH GSSAPI response for the EHLO command. So I am sending the Servcie Ticket from our esmtp client. Is it right? Let me expalin clearly: - AS_REQ and AS_REP happend and User Authentication is done successfully. - TGS_REQ and TGD_REP is happend with Kerberos client and KDC. So Service tkt is at kdc client side. - Now we initiated the email operation from Multi Funtion Printer. It contacted the ESMTP server from ESMTP client. - Sent the EHLO command. ESMTP Server Gave me the AUTH GSSAPI response. So Kerberos is supported at server sid. Right?? - After seeing this GSSAPI string, sending the Service ticket to ESMTP server. Is it correct? We are assuming that, GSSPAI is supported means, Kerberos is supported. Is it right? Could you please explain about the Application Server transactions??? How to communicate with GSSAPI? Thank you, -Surendra ----- Original Message ----- From: "Douglas E. Engert" <[EMAIL PROTECTED]> To: "Surendra Babu A" <[EMAIL PROTECTED]> Cc: <[email protected]> Sent: Wednesday, December 07, 2005 5:11 PM Subject: Re: Clarifications sought on Kerberos SA: TGS_REQ and Server Auth?? > > > Surendra Babu A wrote: > > Hi Kerberos Team, > > > > Could you please let me know your thoughts on the following questions? > > Thank a lot in advance, > > > > 1. While forming the TGS-REQ pkt, I need to send the Server name with that > > TGS_REQ packet. For > > this reason, I need to use krb5_parse_name(). second Parameter for this API > is a Server Principal. > > Should I need to send a qualified Hostname with that? > > As long as the server and the client agree on what is in the name, and the > principal > is regstered in the KDC, and the server has a copy of the key, it can work. > > Servers usually have a two component name and the realm: <service>/<fqdn of > host>@<realm> > and many of the Kerberos routines assist in making sure the host is converted > to a fqdn. > > You could have more components, DCE had some three component names. > > You could use IP addresses, but IP addresses don't real identify a host, they > identify an interface. Hosts with multiple interfaces, VPNs, and NAT can > make this dificult. IP numbers change, so the client, server and KDC all need > to be updated. And what will you do about IPV6 addresses in a principal? > > Use names if you can, DNS or even names are in pre distributed /etc/hosts > files. > > > That means, we should know the Host NAme of > > the server? Without knowing the HOst Name of the Application Server (i.e. If > we know only IP Address), > > can't we form the TGS_REQ packet and get the successful response TGS-REP?? I > tyried with IP Address in > > Principal. But it was not successding. COuld you please let me know your > thoughts? > > > > > > > 2. For Server Authentication feature: if the Application Server is a > > Kerberised ESMTP server, how it > > should proceed? After sending the Service ticket to ESMTP server, what should > happen? Could you please > > let me know the Client and Applciation Server handshake and transfer > machanism till Server Authentication > > feature happens? > > Rather then using raw Kerberos, can you use gssapi? Gss addresses many of > these issues. > > > > > > Please let me know your thoughts. > > > > Thank you, > > -Surendra > > ________________________________________________ > > Kerberos mailing list [email protected] > > https://mailman.mit.edu/mailman/listinfo/kerberos > > > > > > -- > > Douglas E. Engert <[EMAIL PROTECTED]> > Argonne National Laboratory > 9700 South Cass Avenue > Argonne, Illinois 60439 > (630) 252-5444 > > ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
