Kerberos & OpenSSH+GSSAPI problem
Douglas E. Engert
deengert at anl.gov
Thu Jan 30 10:10:50 EST 2003
Vladimir Terziev wrote:
>
> Hi All,
>
> I implement a Kerberos as authentication system. For the purpose I use MIT Kerberos v5, OpenSSH v3.4p1 and approriate GSSAPI patches for OpenSSH from http://www.sxw.org.uk/computing/patches/openssh.html .
>
> Kerbelized sshd works fine and uses Kerberos tickets for authentication when the machine have single interface. But I have some multihomed machines which participate in different domains (respectively in different Kerberos realms). Sshd on these machines refuses to use my Kerberos tickes for authentication. I think this is because GSSAPI patches for OpenSSH use hostname for forming of Kerberos principals. I my case, with mulultihomed machines, hostname is different from the one or more of the interface names of the machine.
>
> Does anybody have any idea how I can solve that nasty problem?
Yes, something like this in lib/gssapi/krb5/accept_sec_context.c. This is in the middle of
another mod for user-to-user so the patch is not exact. The idea is to let krb5_rd_req
use any key in the keytab that matches the ticket privided by the user,
then double check that it is acceptable. in our case we where swithching realms.
*** 365,375 ****
goto fail;
}
! if ((code = krb5_rd_req(context, &auth_context, &ap_req, cred->princ,
cred->keytab, NULL, &ticket))) {
major_status = GSS_S_FAILURE;
goto fail;
}
krb5_auth_con_getauthenticator(context, auth_context, &authdat);
--- 639,736 ----
goto fail;
}
! if ((code = krb5_rd_req(context, &auth_context, &ap_req, NULL,
cred->keytab, NULL, &ticket))) {
major_status = GSS_S_FAILURE;
goto fail;
}
+ /*
+ * Allow for lax checking of the princ name. This will allow
+ * us to have ssh and ftp use any of the tickets in the
+ * keytab, as we change from dce.anl.gov to KRB5.ANL.GOV
+ * rlogin already allows this. We will check all but realm.
+ */
+ if ( cred->princ && ticket->server) {
+ int i;
+ int nelem;
+ nelem = krb5_princ_size(context, cred->princ);
+ if (nelem == krb5_princ_size(context,ticket->server)) {
+ for (i = 0; i < nelem; i++) {
+ register const krb5_data *p1 =
+ krb5_princ_component(context, cred->princ ,i);
+ register const krb5_data *p2 =
+ krb5_princ_component(context, ticket->server, i);
+ if (p1->length != p2->length ||
+ memcmp(p1->data, p2->data, p1->length)) {
+ major_status = GSS_S_FAILURE;
+ goto fail;
+ }
+ }
+ } else {
+ major_status = GSS_S_FAILURE;
+ goto fail;
+ }
+ }
krb5_auth_con_getauthenticator(context, auth_context, &authdat);
>
> Regards,
>
> Vladimir
>
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the Kerberos
mailing list