[Bug 928] Kerberos/GSSAPI authentication does not work with multihomed hosts
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Mon Sep 11 00:04:56 EST 2006
http://bugzilla.mindrot.org/show_bug.cgi?id=928
------- Comment #3 from simon at sxw.org.uk 2006-09-11 00:04 -------
Created an attachment (id=1182)
--> (http://bugzilla.mindrot.org/attachment.cgi?id=1182&action=view)
Add new option to allow better operation on multi-homed hosts
This fix takes advantage of recent movements in both Heimdal
and MIT Kerberos to support the use of GSS_C_NO_CREDENTIALS to
indicate that any credential in the default keytab may be used to
accept connections on a multi-homed host.
The attached patch adds a new option, 'GSSAPIStrictAcceptorCheck',
which defaults to 'yes'. If it is disabled, then GSS_C_NO_CREDENTIALS
is used instead of the default acceptor credential. This relies on the
system administrator only having trusted server keys in
/etc/krb5.keytab
- but if they haven't, they've lost anyway.
Note that this patch needs to be applied after the code tidy up patch
in
bug #1225
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the openssh-bugs
mailing list