Kerberos & OpenSSH+GSSAPI problem

Douglas E. Engert deengert at anl.gov
Thu Jan 30 10:10:50 EST 2003



Vladimir Terziev wrote:
> 
>         Hi All,
> 
>         I implement a Kerberos as authentication system. For the purpose I use MIT Kerberos v5, OpenSSH v3.4p1 and approriate GSSAPI patches for OpenSSH from http://www.sxw.org.uk/computing/patches/openssh.html .
> 
>         Kerbelized sshd works fine and uses Kerberos tickets for authentication when the machine have single interface. But I have some multihomed machines which participate in different domains (respectively in different Kerberos realms). Sshd on these machines refuses to use my Kerberos tickes for authentication. I think this is because GSSAPI patches for OpenSSH use hostname for forming of Kerberos principals. I my case, with mulultihomed machines, hostname is different from the one or more of the interface names of the machine.
> 
>         Does anybody have any idea how I can solve that nasty problem?



Yes, something like this in lib/gssapi/krb5/accept_sec_context.c. This is in the middle of
another mod for user-to-user so the patch is not exact. The idea is to let krb5_rd_req
use any key in the keytab that matches the ticket privided by the user,
then double check that it is acceptable. in our case we where swithching realms.  


*** 365,375 ****
         goto fail;
     }
  
!    if ((code = krb5_rd_req(context, &auth_context, &ap_req, cred->princ,
                           cred->keytab, NULL, &ticket))) {
         major_status = GSS_S_FAILURE;
         goto fail;
     }
  
     krb5_auth_con_getauthenticator(context, auth_context, &authdat);
  
--- 639,736 ----
         goto fail;
     }
     
!     if ((code = krb5_rd_req(context, &auth_context, &ap_req, NULL,
                           cred->keytab, NULL, &ticket))) {
         major_status = GSS_S_FAILURE;
         goto fail;
     }
+ /*
+  * Allow for lax checking of the princ name. This will allow
+  * us to have ssh and ftp use any of the tickets in the 
+  * keytab, as we change from dce.anl.gov to KRB5.ANL.GOV
+  * rlogin already allows this. We will check all but realm.
+  */
+    if ( cred->princ && ticket->server) {
+               int i;
+               int nelem; 
+               nelem = krb5_princ_size(context, cred->princ);
+               if (nelem == krb5_princ_size(context,ticket->server)) {
+                       for (i = 0; i < nelem; i++) {
+                               register const krb5_data *p1 = 
+                                       krb5_princ_component(context, cred->princ ,i);
+                               register const krb5_data *p2 = 
+                                       krb5_princ_component(context, ticket->server, i);
+                               if (p1->length != p2->length ||
+                                               memcmp(p1->data, p2->data, p1->length)) {
+                                       major_status = GSS_S_FAILURE;
+                                       goto fail;
+                               }
+                       }
+               } else {
+                       major_status = GSS_S_FAILURE;
+                       goto fail;
+               }
+    }
  
     krb5_auth_con_getauthenticator(context, auth_context, &authdat);



 
> 
>         Regards,
> 
>                 Vladimir
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos

-- 

 Douglas E. Engert  <DEEngert at anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444


More information about the Kerberos mailing list