GSSAPI / Kerberos ticket authentication issues

Greg Hudson ghudson at MIT.EDU
Mon Nov 16 16:34:49 EST 2009


On Mon, 2009-11-16 at 09:01 -0500, Broekman, Maarten wrote:
> 		$ ftp -n -i hostname	--> Works properly
> 		$ ftp -n -i hostname-alt	--> Doesn't work.

I believe this is a consequence of how ftpd uses GSSAPI.  It's using
gss_acquire_cred to get credentials for ftp at localhostname and
host at localhostname, instead of just passing the default to
gss_accept_sec_context, which would make it work for any key in the
keytab.

I don't see any good opportunities for workarounds without patching and
recompiling gssftpd.  The local hostname is determined by calling
gethostbyname() on the result of gethostname(), so you can typically
influence which hostname is picked by fiddling with /etc/hosts, but you
can't make it try multiple hostnames.

I'll bring this up on the dev list and see about getting it fixed for a
future release.  If you do want to patch and rebuild to work around
this, I can probably come up with a provisional patch for you in short
order.





More information about the Kerberos mailing list