Pending OpenSSH release, call for testing.

Douglas E. Engert deengert at anl.gov
Tue Sep 14 06:11:59 EST 2004 


Markus Moeller wrote:
> Darren,
> 
> We have systems which are multihomed for virtualisation, but run only one sshd.
> You can connect to any IP-address and should be authenticated with
> gssapi/kerberos. So the client will ask for a principal host/virt-ip-X and the
> server has to have an entry for this in the keytab and has to select the right
> key by determining the hostname from the connection IP-address. There is no other
> way to this (except with GSS_C_NO_NAME, which I haven't tested)than having a
> keytab entry per interface, which isn't a problem as gss_import will select the
> right one.   Kerberos depends on a one-to-one mapping of hostname to ip-address.
> You should never have a hostname with two ip-addresses, Kerberos won't normaly
> work.  

Not true. For years we have had Kerberized hosts with multiple addresses.
Kerberos is authenticating principals to each other. The client/user gets
a ticket for host principal, using the name it expects the host to have
a principal for in its keytab.

The situation in question is similar in that one host is pretending to be
multiple hosts, which may or may not use the same interface.

Its not a Kerberos limitation. Its an application requested restriction, as
the gss_acquire_cred(... desired_name,...) is specifying the name of the
single service principal it is to accept.

If this was GSS_C_NO_NAME, then the underlying Kerberos can accept using any of
the service principals in the keytab.

We have a number of hosts with multiple names, and one can use the kerberized
rlogin to login with either name, or ssh if the user uses the real hostname.
Since only the admins are logging in, we have not modified sshd to pass in
GSS_C_NO_NAME, but could use this if this was a modification.


> 
> 
> Regards
> Markus
>  
> 
> On Mon Sep 13 16:14 , 'Douglas E. Engert' <deengert at anl.gov> sent:
> 
> 
>>
>>Darren Tucker wrote:
>>
>>
>>>Markus Moeller wrote:
>>>
>>>
>>>>Could you add to this release a patch which allows gssapi to be used 
>>>>on a multihomed server please ?    There have been several proposals 
>>>>in the past to fix this in    ssh_gssapi_acquire_cred  .  .  -       
>>>>if (gethostname(lname, MAXHOSTNAMELEN))  -               return (-1);  
>>>>+        lname = get_local_hostname(packet_get_connection_in()); 
>>>
>>>
>>>Won't that break Kerberos authenticaton for sshd in inetd mode?
>>
>>
>>It might break more then that. This change would appear to get the name of
>>the interface, rather then the name of the host. It would then require the
>>Kerberos to have a principal for each interface, and the client to know
>>the name of the interface. The Kerberos client is trying to authenticate
>>to the host, not an interface.
>>
>>But if the host actually has multiple names, a possible change is to
>>pass GSS_C_NO_NAME rather then ctx->name to gss_acquire_cred. This then
>>leaves it upto the GSS to determine the acceptable names. In the Kerberos
>>case this would be any principal name that is in the keytab.
>>
>> RFC2743 says:
>>  o  desired_name INTERNAL NAME, -- NULL requests locally-determined
>>   -- default
>>
>>If you add this change, it should be a configuration option, as
>>the Kerberos replay cache may not be used, and there might be other
>>principals in the keytab that are not expected to be used by sshd.
>>
>>The sysadmin can also set the KRB5_KTNAME env to point to a specific
>>keytab before starting sshd if there are any special situations.
>>
>>
>>
>>-- 
>>
>> Douglas E. Engert  DEEngert at anl.gov>
>> Argonne National Laboratory
>> 9700 South Cass Avenue
>> Argonne, Illinois  60439
>> (630) 252-5444
> 
> 
> 
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the openssh-unix-dev mailing list