GSSAPI / Kerberos ticket authentication issues
Broekman, Maarten
Maarten.Broekman at fmr.com
Mon Nov 16 16:39:57 EST 2009
Thanks Greg. Getting it addressed in a future version would be great. Unfortunately, I don't think I'll be able to patch and rebuild.
Maarten Broekman
> -----Original Message-----
> From: Greg Hudson [mailto:ghudson at MIT.EDU]
> Sent: Monday, November 16, 2009 4:35 PM
> To: Broekman, Maarten
> Cc: kerberos at mit.edu
> Subject: Re: GSSAPI / Kerberos ticket authentication issues
>
> On Mon, 2009-11-16 at 09:01 -0500, Broekman, Maarten wrote:
> > $ ftp -n -i hostname --> Works properly
> > $ ftp -n -i hostname-alt --> Doesn't work.
>
> I believe this is a consequence of how ftpd uses GSSAPI. It's using
> gss_acquire_cred to get credentials for ftp at localhostname and
> host at localhostname, instead of just passing the default to
> gss_accept_sec_context, which would make it work for any key in the
> keytab.
>
> I don't see any good opportunities for workarounds without patching and
> recompiling gssftpd. The local hostname is determined by calling
> gethostbyname() on the result of gethostname(), so you can typically
> influence which hostname is picked by fiddling with /etc/hosts, but you
> can't make it try multiple hostnames.
>
> I'll bring this up on the dev list and see about getting it fixed for a
> future release. If you do want to patch and rebuild to work around
> this, I can probably come up with a provisional patch for you in short
> order.
>
More information about the Kerberos
mailing list