Re: [Perlgssapi-users] gss_nt_service_name

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Achim Grolms wrote:
> On Saturday 23 September 2006 05:09, David Leonard wrote:
>   
>> Oops, you're right; that's what happens when I fire off hasty emails! :-(
>> ok, I see that gss_nt_service_name means GSS_C_NT_HOSTBASED_SERVICE..
>>
>> So, then the krb5 principal ipmi/IT-CC would have to be specified as
>> ipmi@IT-CC ... or he could change the example scripts to use
>> gss_nt_krb5_principal instead of gss_nt_service_name. How does that sound?
>>     
>
> Yes, gss_nt_krb5_principal can work, because no hostnames are hardwired
> in the principal name.
>
> Is it a good idea not to check the correct hostname/key 
> when connecting to?
>   

I'm not sure exactly what you mean by this question.

Do you mean the server should check the SPN used by the client? That 
doesn't work for active directory when you use host spn aliases. (eg a 
client request for "ftp/x.y.z" gets a 'fake' ticket that is actually for 
"host/x.y.z"). The practical strategy seems to be ignore the SPN that 
the ticket is labelled with, and try to decrypt it with every entry in 
the keytab provided.

Or, do you mean the client should ensure that the hostname part of the 
specified target GSS host-based service name matches the DNS hostname of 
the IP connection's destination host?
This is addressed by RFC 2743:

    When a reference to a [host-based service name "service@hostname"]
    is resolved, the "hostname" may (as an example implementation
    strategy) be canonicalized by attempting a DNS lookup and using the
    fully-qualified domain name which is returned, or by using the
    "hostname" as provided if the DNS lookup fails.  The
    canonicalization operation also maps the host's name into lower-case
    characters.

d