OpenSSH problem on Solaris 8

Jacques A. Vidrine n at nectar.cc
Wed May 22 14:49:53 EDT 2002


On Wed, May 22, 2002 at 02:34:02PM -0400, Nicolas.Williams at ubsw.com wrote:
> 
> Ideally the acceptor name is irrelevant to the acceptor. After all,
> the ability to accept a sec context implies having the necessary and
> valid keytab entries available, and that is good enough IMHO. Such
> behaviour would be necessary on virtualized servers.
> 
> For the acceptor to accept GSS contexts without regard as to the
> acceptor name used by the initiator you need a patch to MIT krb5's
> GSS implementation. The idea is to call gss_accept_sec_context()
> with the default acceptor credential and later use
> gss_inquire_sec_context() to determine the actual acceptor name, if
> desired.

In other words, wait to see what ticket (initiator credentials) you
get from the client, and then see if you have a keytab entry (acceptor
credentials) for it?

Cheers,
-- 
Jacques A. Vidrine <n at nectar.cc>                 http://www.nectar.cc/
NTT/Verio SME          .     FreeBSD UNIX     .       Heimdal Kerberos
jvidrine at verio.net     .  nectar at FreeBSD.org  .          nectar at kth.se



More information about the Kerberos mailing list