有several types Kerberos 主体。普通用户主体如 <a href="https://stackoverflow.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="402d29232821252c6d2f00030f0d10010e196e030f0d" rel="noreferrer noopener nofollow">[email protected]</a>将是KRB_NT_PRINCIPAL 。但是像 HTTP/<a href="https://stackoverflow.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="c6aea9b5b2e8a5a9abb6a7a8bfe8a5a9ab8685898b9687889fe885898b" rel="noreferrer noopener nofollow">[email protected]</a> 这样的服务怎么样? ?有几种可能的类型,例如 KRB_NT_SRV_{INST|HST|XHST} 。正确的是什么?
据我了解INST仅适用于 TGT。
我认为正确的答案应该是 HST 。我无法在 Oracle 的 JDK 源代码中找到线索,但有两个相互矛盾的点:1与 2 .
最佳答案
RFC 4120第 7.5.8 节定义了名称类型。实际上,大多数情况都使用 KRB_NT_SRV_HST。除了 RFC 和测试代码之外,我从未见过 KRB_NT_SRV_XHST。一般来说,当第二个组件不是主机名时,使用 KRB_NT_SRV_INST。示例包括 TGT 或其他复制服务,无论您获得哪个主机都无关紧要。然而,名称类型并不那么重要。第 6.2 节对此进行了描述:
As was the case for realm names, conventions are needed to ensure that all agree on what information is implied by a principal name. The name-type field that is part of the principal name indicates the kind of information implied by the name. The name-type SHOULD be treated only as a hint to interpreting the meaning of a name. It is not significant when checking for equivalence. Principal names that differ only in the name-type identify the same principal. The name type does not partition the name space. Ignoring the name type, no two names can be the same (i.e., at least one of the components, or the realm, MUST be different). The following name types are defined: Modern Kerberos implementations do treat KRB_NT_SRV_HST a bit specially. In particular, they are more likely to generate cross-realm referrals based on the hostname in the second component of such a principal. So if the first component identifies a service and the second identifies a host name, SRV_HST is best.
关于java - 基于主机的服务的正确 Kerberos 主体类型,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/9933082/