gssapi/openssh
Sam Hartman
hartmans at MIT.EDU
Sat May 3 20:11:35 EDT 2003
>>>>> "Greg" == Greg Wettstein <greg at wind.enjellic.com> writes:
Greg> On Apr 30, 6:25pm, Simon Wilkinson wrote: } Subject: Re:
Greg> gssapi/openssh
Greg> Good morning to everyone.
>> On Wed, 30 Apr 2003, peter duff wrote: > I have patched openssh
>> 3.4p1 with simon's gssapi patch, (great job by the > way).
>>
>> There'll be a patch for openssh 3.6.1p2 available in the next
>> few days. This brings the patch up to compliance with the
>> latest version of the draft, as well as fixing some encoding
>> issues.
Greg> I will second the 'great job' on the GSSAPI patch for SSH.
Greg> Its been a must have for our sites since it first became
Greg> available.
Greg> Any reflections Simon on dealing with the multi-homed host
Greg> issue?
I would appreciate it if the GSSAPI patch could gain an option to pass
in GSS_C_NO_CREDENTIAL into gss_accept_sec_context or GSS_C_NO_NAME
into the server side call for gss_acquire_credentials.
This combined with the 1.3 code should solve the multi-homed hosts
problem nicely. The 1.3 code will accept any principals in the keytab
in the GSS_C_NO_NAME case. Note that if you use this option, you as
an administrator must take care to make sure only principals trusted
for host authentication are allowed in /etc/krb5.keytab.
More information about the Kerberos
mailing list