gssapi auth, and multihomed multinamed hosts
Michael B Allen
mba2000 at ioplex.com
Wed Jun 6 11:55:01 EDT 2007
On Wed, 6 Jun 2007 19:36:38 +1000
Edward Irvine <eirvine at tpg.com.au> wrote:
> Hi Folks,
>
> I have a Solaris 10 server with two ip addresses: "fixed.example.com"
> and "float.example.com". The latter is an IP address that the server
> sometimes assumes as part of its role in a high-availability cluster.
>
> I have compiled my own openssh+gssapi version of sshd, and have got
> ssh single-sign-on working fine (both windows secureCRT, a patched
> version of Putty, and also the unix openssh clients) . So far so good.
>
> It is now time to get gssapi auth to working with the
> "float.example.com" address.
>
> Can I expect to just add the keytab for "float.example.com" into /etc/
> krb5.keytab and expect everything to be OK?
Hi Edward,
I don't have first hand knowledge of this particular scenario but from
what I know about GSSAPI it should work fine. GSSAPI works by name so
provided the key on the KDC associated with the service principal matches
the key in the keytab used by sshd then it should work.
Mike
--
Michael B Allen
PHP Active Directory Kerberos SSO
http://www.ioplex.com/
More information about the Kerberos
mailing list