gssapi/openssh

Sam Hartman hartmans at MIT.EDU
Sat May 3 20:11:35 EDT 2003


>>>>> "Greg" == Greg Wettstein <greg at wind.enjellic.com> writes:

    Greg> On Apr 30, 6:25pm, Simon Wilkinson wrote: } Subject: Re:
    Greg> gssapi/openssh

    Greg> Good morning to everyone.

    >> On Wed, 30 Apr 2003, peter duff wrote: > I have patched openssh
    >> 3.4p1 with simon's gssapi patch, (great job by the > way).
    >> 
    >> There'll be a patch for openssh 3.6.1p2 available in the next
    >> few days.  This brings the patch up to compliance with the
    >> latest version of the draft, as well as fixing some encoding
    >> issues.

    Greg> I will second the 'great job' on the GSSAPI patch for SSH.
    Greg> Its been a must have for our sites since it first became
    Greg> available.

    Greg> Any reflections Simon on dealing with the multi-homed host
    Greg> issue?

I would appreciate it if the GSSAPI patch could gain an option to pass
in GSS_C_NO_CREDENTIAL into gss_accept_sec_context or GSS_C_NO_NAME
into the server side call for gss_acquire_credentials.


This combined with the 1.3 code should solve the multi-homed hosts
problem nicely.  The 1.3 code will accept any principals in the keytab
in the GSS_C_NO_NAME case.  Note that if you use this option, you as
an administrator must take care to make sure only principals trusted
for host authentication are allowed in /etc/krb5.keytab.




More information about the Kerberos mailing list