Kerberos Digest, Vol 9, Issue 25

Kumaresh kumaresh_ind at gmx.net
Thu Sep 25 12:27:58 EDT 2003


> >>>>> "Jacques" == Jacques A Vidrine <nectar at celabo.org> writes:
>
>     Jacques> On Tue, Sep 23, 2003 at 07:31:49PM +0100, Markus Moeller
wrote:
>     >> Here is a patch on top of Simons gssapi patch for openssh 3.6.1p2
to
>     >> support multihomed systems.
>
>     Jacques> A simpler approach is to pass GSS_C_NO_NAME to
gss_acquire_cred.  This
>     Jacques> will allow any name present in the keytab.
>
> Yes, and I'd like to see that as a configurable option.  That would
> even be a reasonable default if you gss_display_name the name and make
> sure it starts with host.

Passing GSS_C_NO_NAME will NOT compare the name in server and client
credentials, if I am correct. If so, is this not bad in security point of
view?

Thanks,
Kumar


---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.520 / Virus Database: 318 - Release Date: 9/18/2003



More information about the Kerberos mailing list