Marco Rebhan via Kerberos <kerberos@mit.edu> writes: > What purpose does the host principal for clients serve here? I assumed > it would be either used to authenticate hosts before they're allowed to > obtain a TGT, or authenticate for mounting NFS shares, but clearly > that's not the case since it works without. Is it only used so that the > network share can be mounted without a user TGT?
Yup, pretty much. There is indeed no need to key clients if you're going to obtain credentials after login with something like kinit and you don't care about more sophisticated Kerberos network protection features like FAST. The other reason to key a client is so that it can verify that the password that you enter is indeed a valid Kerberos credential so that you can use Kerberos to control access to the system itself. If the system doesn't have any keys (and you don't have something like anonymous PKINIT available), then the client computer can't tell the difference between getting Kerberos credentials from a real KDC or from a fake KDC that someone put on the same network. This only matters in cases where someone might be trying to log on to the client system with fake Kerberos credentials, and doesn't really matter if you're logging on to the system with local credentials and then getting Kerberos credentials later. (This is mostly relevant for work computers that use central Kerberos to authenticate all access, computer labs that have multiple users, and similar sorts of cases.) -- Russ Allbery (ea...@eyrie.org) <https://www.eyrie.org/~eagle/> ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos