Sandy, the ftp gsapi security extension is defined in rfc2228 and requires [EMAIL PROTECTED] or [EMAIL PROTECTED] for the gssapi context which translates to a ftp/[EMAIL PROTECTED] or host/[EMAIL PROTECTED] Kerberos SPN:
The client must begin the authentication exchange by calling GSS_Init_Sec_Context, passing in 0 for input_context_handle (initially), and a targ_name equal to output_name from GSS_Import_Name called with input_name_type of Host-Based Service and input_name_string of "[EMAIL PROTECTED]" where "hostname" is the fully qualified host name of the server with all letters in lower case. (Failing this, the client may try again using input_name_string of "[EMAIL PROTECTED]".) The output_token must then be base 64 encoded and sent to the server as the argument to an ADAT command. If GSS_Init_Sec_Context returns GSS_S_CONTINUE_NEEDED, then the client must expect a token to be returned in the reply to the ADAT command. This token must subsequently be passed to another call to GSS_Init_Sec_Context. In this case, if GSS_Init_Sec_Context returns no output_token, then the reply code from the server for the previous ADAT command must have been 235. If GSS_Init_Sec_Context returns GSS_S_COMPLETE, then no further tokens are expected from the server, and the client must consider the server authenticated. You can use anything you want for your own client-server application. Regards Markus <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > Hi all, > > I have a query regarding the usage of the kerberos pricipals of the > format "<service>/<FQDN>@<REALM>". My question is can I use any other > principal format other than <service>/<FQDN>@<REALM> ? The > <service>/<FQDN>@<REALM> is the common convention used. > > Giving an example, say for example, I am using a kerborized ftp > application. As of now, the keytab entries , the service entry on KDC > are having the ftp principal of the foramt, ftp/[EMAIL PROTECTED] I am able > to successfully do ftp connection using kerberos. > > My requirement is to avoid use of fqdn. Can I do it ? can I use > principal of my convenience ? I have noticed that when I start ftp > client, by default it tries to get TGS of the form ftp/[EMAIL PROTECTED] If I > have different entry for ftp service in the KDC, this will definitely > fail. So does this requirement requires changes in ftp server code and > client code ? > > 1) First of all can I do this way ( using ftp principal other than the > standard method of using fqdn ) > > 2) Could anybody please tell me what are the issues involved here ? > > 3) Issues involved when all the systems in the realm are non windows > machines > > 4) interoperability issues like when I use ftp server on linux and try > to connect to it from windows machine. > > Regards, > Sandy. > > ________________________________________________ > Kerberos mailing list [email protected] > https://mailman.mit.edu/mailman/listinfo/kerberos > ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
