GSSAPI, Kerberos and multihomed hosts
Douglas E. Engert
deengert at anl.gov
Tue Sep 14 23:22:00 EST 2004
Darren Tucker wrote:
> (was: "Re: Pending OpenSSH release, call for testing", topic drift at
> its finest :-)
>
> Markus Moeller wrote:
>
>> Douglas,
>>
>> OK three possible settings(hostname,connection IP,GSS_C_NO_NAME) are
>> fine for me too.
>
>
> Does GSS_C_NO_NAME relate to this bug (addressless tickets)?
> http://bugzilla.mindrot.org/show_bug.cgi?id=488
No, The GSS_C_NO_NAME is GSS server defining its own principal name.
The addressless tickets, is turning off the the address list in the
initial TGT. The address list was designed to verify that a ticket
was being used from the correct host by a server using the
getpeername then checking the address list. But in today's world
of NAT and VPNs this is unrealiable.
But the MIT krb5.conf in the [libdefaults] has a noaddresses
flag, which in effect turns off the default of adding addreses.
The submitters of the BUG may want to comment on if this would
work for them.
>
> BTW, I opened a bug the the multihomed thing a couple of days ago:
> http://bugzilla.mindrot.org/show_bug.cgi?id=928
>
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the openssh-unix-dev
mailing list