openssh bugs - Mar 2013 - [Bug 928] Kerberos/GSSAPI authentication does not work with multihomed hosts

https://bugzilla.mindrot.org/show_bug.cgi?id=928

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Blocks|                            |2076

-- 
You are receiving this mail because:
You are the assignee for the bug.
You are watching someone on the CC list of the bug.
You are watching the reporter of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=928

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Blocks|2035                        |

--- Comment #24 from Damien Miller <djm at mindrot.org> ---
retarget to openssh-6.3

-- 
You are receiving this mail because:
You are the assignee for the bug.
You are watching someone on the CC list of the bug.
You are watching the reporter of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=928

--- Comment #25 from Paul Henson <henson at acm.org> ---
This bug's been open over 8 years 8-/.

Is there an objection to applying the patch, or?

-- 
You are receiving this mail because:
You are the assignee for the bug.
You are watching someone on the CC list of the bug.
You are watching the reporter of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=928

--- Comment #26 from jotones at hotmail.com ---
Good Morning, 

Apart of be very useful for systems behind load balancers, this patch
is needed for High Availability Clusters.

We can not use Kerberos / GSSAPI without this patch in place and also
it is very useful for Kerberos authentication and SSO.

Thanks, 

Jose Luist

-- 
You are receiving this mail because:
You are the assignee for the bug.
You are watching someone on the CC list of the bug.
You are watching the reporter of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=928

--- Comment #27 from Mantas M. <grawity at gmail.com> ---
MIT Krb5 v1.10 has an option [libdefaults] ignore_acceptor_hostname,
which achieves the same functionality for all services using GSSAPI.

-- 
You are receiving this mail because:
You are the assignee for the bug.
You are watching someone on the CC list of the bug.
You are watching the reporter of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=928

--- Comment #28 from jotones at hotmail.com ---
Hi, 

We are using IBM NAS Kerberos implementation. It is a MIT derived
version unfortunatelly not upgraded to this MIT version.

Anyway have you tried it? I have dealed with this issue several years
ago and I have to review it but I think that it is sshd whot is not
accepting it. 

The Kerveros server side is reponsible to check the user credentials
not the underlying Kerberos software. Sshd adds a extra check denying
(almost in our case) access to the users who has not the hostname
kerberos principal ticket.

Thanks for your response.

Jos? Luis

-- 
You are receiving this mail because:
You are the assignee for the bug.
You are watching someone on the CC list of the bug.
You are watching the reporter of the bug.