On Wed, 2011-01-26 at 23:42 -0500, Victor Sudakov wrote: > Do you mean that the server will look up in the keytab whatever > principal the client has sent?
That depends on how the server code invokes the relevant library routines. The caller can provide a principal name (or a GSSAPI name which is mapped onto a principal name), in which case only service tickets for that principal will be accepted. If the server does not provide a principal name, then any service principal in the keytab will be accepted. OpenSSH, for instance, will typically only accept the service principal host/localhostname@DEFAULTREALM in the default configuration. However, if you set GSSStrictAcceptorCheck no (this requires Simon's patch, which is included in most OS packagings of OpenSSH), then any service principal in the keytab will be accepted. > So if I want a different principal > name, I should configure the client rather than the server? Typically clients do not allow configuration of this principal name, but yes, you'd have to somehow convince the client as well as possibly the server. ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
