1

I've read in O'Reilly "Kerberos" book that it is possible to create instances for user principles. As I understand, the text says I could have username@REALM.NET for usual activities and username/admin@REALM.NET for ssh login to production server with different password.

MIT Kerberos definition of principal is ambiguous to me. First, it states that principal can have arbitrary number of components devided by /, but after that it states, that it may have optional admin instance.

  1. Can instance part of user principal name be arbitrary string? What implementations supports this feature?

  2. What happens, when main user principal is deleted from database (if I delete user@REALM, what will happen to user/instance@REALM?

  3. Is it possible to create user principle instances in ActiveDirectory 2008? If it's possible, how do I create one?

  4. To what username on a system openssh will map kerberos user instance username/admin@REALM.NET? What is a default mapping?

  5. What happens to UPNs with instances when two-way trust set between MIT Kerberos realm and ActiveDirectory?

EDIT:

I see no notion of component[/component][/component]...@REALM format , described in the O'Reilly book, in RFC 4120.

EDIT2:

Exact quote from the book (Chapter 2.4.1.3, "Kerberos 5 principals"):

Let's take a look at an example Kerberos 5 user principal:

jdoe/admin@IT.WEDGIE.ORG

This example is equivalent to the first Kerberos 4 example, showing the format of John Doe's principal with an admin instance.

Book errata doesn't mention it as wrong.

EDIT3:

Description of using instances by MIT Student Information Processing Board:

There are three parts of a Kerberos name: a principal, an optional instance, and a realm. The principal is typically your username, and the realm, at MIT, is usually ATHENA.MIT.EDU. For the Kerberos identity you typically regard as your own, the one that you use to log in to Athena with your regular password, the instance is null (empty). However, you can ask for additional instances, usually a "root" or "extra" instance. [...] Another thing you might want is an extra instance. Some people use these just like another root instance, with slightly lower security. But a common use is something less secure than your null instance. For example, if you're writing a zephyrbot to run on a shared server like scripts.mit.edu, the zephyrbot will need Kerberos tickets to subscribe to zephyrs. But you don't want to leave your Kerberos password in a file in your locker, so you can leave your extra instance's password instead.

EDIT4:

O'Reilly "SSH: The secure shell" (chapter 11.5.2.1 "How Kerberos works")

A principal name looks like 1/2/3/.../ n@REALM . There can be any (positive) number of initial parts as shown, but in practice there are usually either one or two. A plain-user principal name would be res@REALM . A user principal name for particular uses, such as a privileged administrative instance, might be res/admin@REALM .

Community
  • 1
olmstad
  • 197
  • 1
  • 6
  • 1
    Kind of sounds like you want a SPN for SSH added to your UPN. Explanation of UPN/SPN difference at http://stackoverflow.com/questions/18234192/kerberos-difference-between-upn-and-spn – Clayton Aug 01 '16 at 20:08
  • I understand the difference between UPN and SPN, I don't get the instance part in UPN specifically. – olmstad Aug 01 '16 at 20:10
  • Updated my question with examples. – olmstad Aug 03 '16 at 17:26
  • I've decided to up-vote the question. It's not bad. Internet is full of 'root/admin' UPNs. I would like to hear what are other (other than admin) instances used in UPNs. It seems to me the whole instance/admin thing in UPN is there to enable kerberos administrators do a remote administration of KDB. There is no other usercase. Thanks! – SashaN Feb 06 '20 at 12:04

2 Answers2

2

Other Kerberos implementations may allow multiple UPN's for a given user, but MS AD does not. MSDN Reference

This attribute is an indexed string that is single-valued.

Clayton
  • 4,483
  • 16
  • 24
  • My question is too broad. I guess, since it's score is -1 it and there is no accepted answer it will be deleted in 1 day or so. I've created separate question https://serverfault.com/questions/795827/does-activedirectory-support-kerberos-user-principle-instances about AD support. If you copy your answer there I will accept it. Thanks. – olmstad Aug 09 '16 at 18:01
1

Is it possible to create user principle instances in ActiveDirectory 2008? If it's possible, how do I create one?

setspn should do the trick, I think. But AD is hardly a reference Kerberos implementation and instances on user accounts are certainly not used by Windows.

To what username on a system ssh will map kerberos user instance username/admin@REALM.NET?

In short: To whatever UID you map it to. See .k5login documentation.

But I don't think I have ever seen a Principal name for a user in the form of primary/instance@realm outside of a text book, typically the /instance is omitted.
(Of course you see that same form all the time for services i.e. service/hostname@realm)

olmstad
  • 197
  • 1
  • 6
HBruijn
  • 72,524
  • 21
  • 127
  • 192
  • May be the whole idea was wrong and it isn't possible in the first place? I've updated my question, but it seems that solution is just create second user principle for server administration and don't mix it with my regular account. – olmstad Aug 01 '16 at 20:05
  • The fact that I have never seen it is not conclusive that it is impossible :-) – HBruijn Aug 02 '16 at 03:00