Quoth [EMAIL PROTECTED] (Andreas Hasenack):
| I'm suddenly a little bit confused about host and services
| principals.
|
| For example, for OpenLDAP I have a principal called
| [EMAIL PROTECTED] But, for openssh, I found out
| that I had to have a [EMAIL PROTECTED] principal
| instead of something like [EMAIL PROTECTED]
|
| This is defined by the service/application, right?
Yes, the application decides. Some are even ambivalent, like
ftp which can be either "ftp" or "host". Telnet uses "host",
and it seems to have made sense to everyone that the same key
would serve for sshd.
An LDAP service certainly should have its own key, but in my
opinion this should actually be a run time option. LDAP
services aren't really a distinct category. You might run
several LDAP services on the same host whose data and access
controls are completely different, and that's what you would
like to base the service principals on, not the technicality
of the protocol. But you might also run two that are
essentially identical, but on separate service ports for
testing, so it isn't ideal to just incorporate the service
port in the service principal to accomplish this (don't laugh!
I believe there are implementations that do exactly that.)
Donn Cave, [EMAIL PROTECTED]
