Pending OpenSSH release, call for testing.

Douglas E. Engert deengert at anl.gov
Tue Sep 14 01:14:48 EST 2004



Darren Tucker wrote:

> Markus Moeller wrote:
> 
>> Could you add to this release a patch which allows gssapi to be used 
>> on a multihomed server please ?    There have been several proposals 
>> in the past to fix this in    ssh_gssapi_acquire_cred  .  .  -       
>> if (gethostname(lname, MAXHOSTNAMELEN))  -               return (-1);  
>> +        lname = get_local_hostname(packet_get_connection_in()); 
> 
> 
> Won't that break Kerberos authenticaton for sshd in inetd mode?


It might break more then that. This change would appear to get the name of
the interface, rather then the name of the host. It would then require the
Kerberos to have a principal for each interface, and the client to know
the name of the interface. The Kerberos client is trying to authenticate
to the host, not an interface.

But if the host actually has multiple names, a possible change is to
pass GSS_C_NO_NAME rather then ctx->name to gss_acquire_cred. This then
leaves it upto the GSS to determine the acceptable names. In the Kerberos
case this would be any principal name that is in the keytab.

  RFC2743 says:
   o  desired_name INTERNAL NAME, -- NULL requests locally-determined
    -- default

If you add this change, it should be a configuration option, as
the Kerberos replay cache may not be used, and there might be other
principals in the keytab that are not expected to be used by sshd.

The sysadmin can also set the KRB5_KTNAME env to point to a specific
keytab before starting sshd if there are any special situations.


> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444




More information about the openssh-unix-dev mailing list