(was: "Re: Pending OpenSSH release, call for testing", topic drift at its finest :-) Markus Moeller wrote:> Douglas, > > OK three possible settings(hostname,connection IP,GSS_C_NO_NAME) are fine for me too.Does GSS_C_NO_NAME relate to this bug (addressless tickets)? http://bugzilla.mindrot.org/show_bug.cgi?id=488 BTW, I opened a bug the the multihomed thing a couple of days ago: http://bugzilla.mindrot.org/show_bug.cgi?id=928 -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Darren Tucker wrote:> (was: "Re: Pending OpenSSH release, call for testing", topic drift at > its finest :-) > > Markus Moeller wrote: > >> Douglas, >> >> OK three possible settings(hostname,connection IP,GSS_C_NO_NAME) are >> fine for me too. > > > Does GSS_C_NO_NAME relate to this bug (addressless tickets)? > http://bugzilla.mindrot.org/show_bug.cgi?id=488No, The GSS_C_NO_NAME is GSS server defining its own principal name. The addressless tickets, is turning off the the address list in the initial TGT. The address list was designed to verify that a ticket was being used from the correct host by a server using the getpeername then checking the address list. But in today's world of NAT and VPNs this is unrealiable. But the MIT krb5.conf in the [libdefaults] has a noaddresses flag, which in effect turns off the default of adding addreses. The submitters of the BUG may want to comment on if this would work for them.> > BTW, I opened a bug the the multihomed thing a couple of days ago: > http://bugzilla.mindrot.org/show_bug.cgi?id=928 >-- Douglas E. Engert <DEEngert at anl.gov> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444
Darren, Thanks for opening the bug. Do you expect a patch or is there an owner for the gss implementation in openssh. Regards Markus On Tue Sep 14 13:52 , Darren Tucker <dtucker at zip.com.au> sent:>(was: "Re: Pending OpenSSH release, call for testing", topic drift at >its finest :-) > >Markus Moeller wrote: >> Douglas, >> >> OK three possible settings(hostname,connection IP,GSS_C_NO_NAME) are fine forme too.> >Does GSS_C_NO_NAME relate to this bug (addressless tickets)? >http://bugzilla.mindrot.org/show_bug.cgi\?id=488 > >BTW, I opened a bug the the multihomed thing a couple of days ago: >http://bugzilla.mindrot.org/show_bug.cgi\?id=928 > >-- >Darren Tucker (dtucker at zip.com.au) >GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 > Good judgement comes with experience. Unfortunately, the experience >usually comes from bad judgement.
Maybe Matching Threads
- GSSAPI patch for multihomed hosts
- Pending OpenSSH release, call for testing.
- [Bug 928] Kerberos/GSSAPI authentication does not work with multihomed hosts
- [Bug 928] Kerberos/GSSAPI authentication does not work with multihomed hosts
- [Bug 928] Kerberos/GSSAPI authentication does not work with multihomed hosts