openssh bugs - Aug 2006 - [Bug 928] Kerberos/GSSAPI authentication does not work with multihomed hosts

http://bugzilla.mindrot.org/show_bug.cgi?id=928


simon at sxw.org.uk changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |simon at sxw.org.uk




------- Comment #2 from simon at sxw.org.uk  2006-08-19 08:31 -------
I'd rather see us move towards just using GSS_C_NO_NAME as the
acceptor credential. However, library support for this is still
emerging.

[Sorry for the bad formatting of this, and my previous bug posts ...]




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=928





------- Comment #3 from simon at sxw.org.uk  2006-09-11 00:04 -------
Created an attachment (id=1182)
 --> (http://bugzilla.mindrot.org/attachment.cgi?id=1182&action=view)
Add new option to allow better operation on multi-homed hosts

This fix takes advantage of recent movements in both Heimdal
and MIT Kerberos to support the use of GSS_C_NO_CREDENTIALS to
indicate that any credential in the default keytab may be used to
accept connections on a multi-homed host. 

The attached patch adds a new option, 'GSSAPIStrictAcceptorCheck', 
which defaults to 'yes'. If it is disabled, then GSS_C_NO_CREDENTIALS
is used instead of the default acceptor credential. This relies on the
system administrator only having trusted server keys in
/etc/krb5.keytab
- but if they haven't, they've lost anyway.

Note that this patch needs to be applied after the code tidy up patch
in
bug #1225




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.