Connections over private network, Simon's GSSAPI patch
Jacques A. Vidrine
nectar at FreeBSD.org
Wed Feb 5 04:45:07 EST 2003
On Tue, Feb 04, 2003 at 12:21:48PM -0500, Carson Gaspar wrote:
> Stop shooting yourself in the foot. Run 2 sshd instances, one on the public
> interface, one on the private interface, and make sure they know their
> correct host names.
This suggestion won't work, because Simon's OpenSSH+GSSAPI uses
gethostname() to determine the GSSAPI host-based service name.
> The only other sane option I can think of is to add an option to ssh and/or
> sshd that lets you select which client and/or server kerberos principal(s)
> to use explicitly, instead of automagically determining them. And that's a
> lot more work. And belongs in the GSSAPI code. Something like:
>
> ssh -oClientPrincipal=carson.admin at taltos.org
> -oServerPrincipal=host/server.private at taltos.org server.private.taltos.org
>
> or (in sshd.conf):
> ServerPrincipal=host/server.private at taltos.org
>
> If your're feeling really studly, have the sshd option take a list of
> principals.
Actually, Simon's OpenSSH+GSSAPI acts differently than most other
Kerberos (and GSSAPI) servers. Generally a server will use
getsockname() in order to determine what service name to use.
Cheers,
--
Jacques A. Vidrine <nectar at celabo.org> http://www.celabo.org/
NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos
jvidrine at verio.net . nectar at FreeBSD.org . nectar at kth.se
More information about the openssh-unix-dev
mailing list