[Bug 928] Kerberos/GSSAPI authentication does not work with multihomed hosts

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Sun Aug 10 00:58:31 EST 2008


https://bugzilla.mindrot.org/show_bug.cgi?id=928





--- Comment #6 from Simon Wilkinson <simon at sxw.org.uk>  2008-08-10 00:58:27 ---
The potential risk (with my patch, which is the correct way to
implement this with modern Kerberos libraries) is that it allows any
principal contained within the system keytab to be used, rather than
just the host/hostname one.

However, Kerberos administrators already have to ensure that principals
contained within the system keytab have the same, high, level of trust
ascribed to them, so I don't believe that there is any practical
increase in risk caused by applying this patch.

Simon.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
You are watching someone on the CC list of the bug.
You are watching the reporter.


More information about the openssh-bugs mailing list