GSSAPI, Kerberos and multihomed hosts

Douglas E. Engert deengert at
Tue Sep 14 23:22:00 EST 2004

Darren Tucker wrote:

> (was: "Re: Pending OpenSSH release, call for testing", topic drift at 
> its finest :-)
> Markus Moeller wrote:
>> Douglas,
>> OK three possible settings(hostname,connection IP,GSS_C_NO_NAME) are 
>> fine for me too.
> Does GSS_C_NO_NAME relate to this bug (addressless tickets)?

No, The GSS_C_NO_NAME is GSS server defining its own principal name.
The addressless tickets, is turning off the the address list in the
initial TGT. The address list was designed to verify that a ticket
was being used from the correct host by a server using the
getpeername then checking the address list. But in today's world
of NAT and VPNs this is unrealiable.

But the MIT krb5.conf in the [libdefaults] has a noaddresses
flag, which in effect turns off the default of adding addreses.
The submitters of the BUG may want to comment on if this would
work for them.

> BTW, I opened a bug the the multihomed thing a couple of days ago:


  Douglas E. Engert  <DEEngert at>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the openssh-unix-dev mailing list