I've read in O'Reilly "Kerberos" book that it is possible to create instances for user principles. As I understand, the text says I could have username@REALM.NET for usual activities and username/admin@REALM.NET for ssh login to production server with different password.
MIT Kerberos definition of principal is ambiguous to me. First, it states that principal can have arbitrary number of components devided by /, but after that it states, that it may have optional admin instance.
-
Can instance part of user principal name be arbitrary string? What implementations supports this feature?
-
What happens, when main user principal is deleted from database (if I delete
user@REALM, what will happen touser/instance@REALM? -
Is it possible to create user principle instances in ActiveDirectory 2008? If it's possible, how do I create one?
-
To what username on a system openssh will map kerberos user instance
username/admin@REALM.NET? What is a default mapping? -
What happens to UPNs with instances when two-way trust set between MIT Kerberos realm and ActiveDirectory?
EDIT:
I see no notion of component[/component][/component]...@REALM format , described in the O'Reilly book, in RFC 4120.
EDIT2:
Exact quote from the book (Chapter 2.4.1.3, "Kerberos 5 principals"):
Let's take a look at an example Kerberos 5 user principal:
jdoe/admin@IT.WEDGIE.ORGThis example is equivalent to the first Kerberos 4 example, showing
the format of John Doe's principal with an admin instance.
Book errata doesn't mention it as wrong.
EDIT3:
Description of using instances by MIT Student Information Processing Board:
There are three parts of a Kerberos name: a principal, an optional
instance, and a realm. The principal is typically your username, and
the realm, at MIT, is usually ATHENA.MIT.EDU. For the Kerberos
identity you typically regard as your own, the one that you use to log
in to Athena with your regular password, the instance is null (empty).
However, you can ask for additional instances, usually a "root" or
"extra" instance. […]
Another thing you might want is an extra instance. Some people use
these just like another root instance, with slightly lower security.
But a common use is something less secure than your null instance. For
example, if you're writing a zephyrbot to run on a shared server like
scripts.mit.edu, the zephyrbot will need Kerberos tickets to subscribe
to zephyrs. But you don't want to leave your Kerberos password in a
file in your locker, so you can leave your extra instance's password
instead.
EDIT4:
O'Reilly "SSH: The secure shell" (chapter 11.5.2.1 "How Kerberos works")
A principal name looks like 1/2/3/…/ n@REALM . There can be any
(positive) number of initial parts as shown, but in practice there are
usually either one or two. A plain-user principal name would be
res@REALM . A user principal name for particular uses, such as a
privileged administrative instance, might be res/admin@REALM .
Best Answer
Other Kerberos implementations may allow multiple UPN's for a given user, but MS AD does not. MSDN Reference