[Bug 928] Kerberos/GSSAPI authentication does not work with multihomed hosts

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Mon Sep 11 00:04:56 EST 2006


http://bugzilla.mindrot.org/show_bug.cgi?id=928





------- Comment #3 from simon at sxw.org.uk  2006-09-11 00:04 -------
Created an attachment (id=1182)
 --> (http://bugzilla.mindrot.org/attachment.cgi?id=1182&action=view)
Add new option to allow better operation on multi-homed hosts

This fix takes advantage of recent movements in both Heimdal
and MIT Kerberos to support the use of GSS_C_NO_CREDENTIALS to
indicate that any credential in the default keytab may be used to
accept connections on a multi-homed host. 

The attached patch adds a new option, 'GSSAPIStrictAcceptorCheck', 
which defaults to 'yes'. If it is disabled, then GSS_C_NO_CREDENTIALS
is used instead of the default acceptor credential. This relies on the
system administrator only having trusted server keys in
/etc/krb5.keytab
- but if they haven't, they've lost anyway.

Note that this patch needs to be applied after the code tidy up patch
in
bug #1225




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.



More information about the openssh-bugs mailing list