I've setup Ubuntu for testing purposes. -Installed MIT kerberos (latest) -Installed OpeenSsh(latest)
I've setup and have working both KerberosAuthentication and pam_krb5 types of authentication as well as GSSAPIAuthentication. All is well there.
When I setup only to use "KerberosAuthentication" or "pam_krb5" I see requests for host/:
Nov 20 00:09:11 kdcname krb5kdc[12476](info): AS_REQ (2 etypes {16 17}) 192.168.1.104: NEEDED_PREAUTH: [email protected] for krbtgt/[email protected], Additional pre-authentication required
Nov 20 00:09:11 kdcname krb5kdc[12476](info): AS_REQ (2 etypes {16 17}) 192.168.1.104: NEEDED_PREAUTH: [email protected] for krbtgt/[email protected], Additional pre-authentication required
Nov 20 00:09:11 kdcname krb5kdc[12476](info): AS_REQ (2 etypes {16 17}) 192.168.1.104: ISSUE: authtime 1511154551, etypes {rep=17 tkt=18 ses=17}, [email protected] for krbtgt/[email protected]
Nov 20 00:09:11 kdcname krb5kdc[12476](info): AS_REQ (2 etypes {16 17}) 192.168.1.104: ISSUE: authtime 1511154551, etypes {rep=17 tkt=18 ses=17}, [email protected] for krbtgt/[email protected]
Nov 20 00:09:11 kdcname krb5kdc[12476](info): TGS_REQ (2 etypes {16 17}) 192.168.1.104: ISSUE: authtime 1511154551, etypes {rep=17 tkt=18 ses=17}, [email protected] for host/[email protected]
Nov 20 00:09:11 kdcname krb5kdc[12476](info): TGS_REQ (2 etypes {16 17}) 192.168.1.104: ISSUE: authtime 1511154551, etypes {rep=17 tkt=18 ses=17}, [email protected] for host/[email protected]
Is the host/ service principal needed for something (TGS_REQ)?
In my mind all you need is AS_REQ to validate the user's password.
It's to prevent man in the middle attacks against the KDC.
I found the answer in Google Books:
Pg 108/109 of kerberos the definitive guide seems authoritative.
I will delay in accepting this as an answer. There should be more of a write up here and my intent was not to self promote and copy/pasting more than a sentence or so seems inappropriate.