GSSAPI patch for multihomed hosts
Markus Moeller
markus_moeller at compuserve.com
Fri Mar 26 10:47:32 EST 2004
Jacques,
But I think with GSS_C_NO_NAME you loose the mutual authentication. An
option to select would be best..
Regards
Markus
----- Original Message -----
From: "Jacques A. Vidrine" <nectar at FreeBSD.org>
To: "Markus Moeller" <markus_moeller at compuserve.com>
Cc: <openssh-unix-dev at mindrot.org>
Sent: Thursday, March 25, 2004 3:51 PM
Subject: Re: GSSAPI patch for multihomed hosts
>
> On Wed, Mar 24, 2004 at 12:34:23AM -0000, Markus Moeller wrote:
> > Hi,
> >
> > This is another attempt to get my gssapi for multi homed systems into
> > openssh. Please find attach a small change so that gssapi authentication
> > works on multihomed systems.
>
> I don't think this patch should be applied. At least in the
> (MIT|Heimdal) Kerberos case, it is better to simply pass GSS_C_NO_NAME
> to gss_acquire_cred to accomplish the same thing.
>
> More desirable IMHO is a patch for the client to use HostKeyAlias
> to compute the GSSAPI name (so that tunneled SSH+GSSAPI connections
> work). I have something similar (but uses a different option name).
> Due to compatiblity issues, I'm still on OpenSSH 3.6.1+GSSAPI patches,
> but when I get a chance to migrate to 3.8 I will post patches here.
>
> Cheers,
> --
> Jacques Vidrine / nectar at celabo.org / jvidrine at verio.net /
nectar at freebsd.org
>
More information about the openssh-unix-dev
mailing list