OpenSSH problem on Solaris 8
Jacques A. Vidrine
n at nectar.cc
Wed May 22 14:49:53 EDT 2002
On Wed, May 22, 2002 at 02:34:02PM -0400, Nicolas.Williams at ubsw.com wrote:
>
> Ideally the acceptor name is irrelevant to the acceptor. After all,
> the ability to accept a sec context implies having the necessary and
> valid keytab entries available, and that is good enough IMHO. Such
> behaviour would be necessary on virtualized servers.
>
> For the acceptor to accept GSS contexts without regard as to the
> acceptor name used by the initiator you need a patch to MIT krb5's
> GSS implementation. The idea is to call gss_accept_sec_context()
> with the default acceptor credential and later use
> gss_inquire_sec_context() to determine the actual acceptor name, if
> desired.
In other words, wait to see what ticket (initiator credentials) you
get from the client, and then see if you have a keytab entry (acceptor
credentials) for it?
Cheers,
--
Jacques A. Vidrine <n at nectar.cc> http://www.nectar.cc/
NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos
jvidrine at verio.net . nectar at FreeBSD.org . nectar at kth.se
More information about the Kerberos
mailing list