GSSAPI / Kerberos ticket authentication issues

Broekman, Maarten Maarten.Broekman at fmr.com
Mon Nov 16 16:53:03 EST 2009 

Greg,
	One thing I realized is that I forgot to mention is that I also
tried using the scan_interfaces and extra_addresses tags in my krb5.conf
but that didn't help.  From the manpage for the krb5.conf these looked
like they might have addressed the issue.  Also ssh suffers from the
same problem as gssftp so I'm guessing this is a more general issue and
not specific to gssftp.

Maarten Broekman 
Fidelity | Investment Management Technology 
TSO Server Architecture and Engineering 
Office: (617) 563-9756 
Cell: (617) 590-8005 
Email: maarten.broekman at fmr.com 


>  -----Original Message-----
>  From: kerberos-bounces at MIT.EDU [mailto:kerberos-bounces at MIT.EDU] On
>  Behalf Of Broekman, Maarten
>  Sent: Monday, November 16, 2009 4:40 PM
>  To: Greg Hudson
>  Cc: kerberos at MIT.EDU
>  Subject: RE: GSSAPI / Kerberos ticket authentication issues
>  
>  Thanks Greg.  Getting it addressed in a future version would be
great.
>  Unfortunately, I don't think I'll be able to patch and rebuild.
>  
>  Maarten Broekman
>  
>  >  -----Original Message-----
>  >  From: Greg Hudson [mailto:ghudson at MIT.EDU]
>  >  Sent: Monday, November 16, 2009 4:35 PM
>  >  To: Broekman, Maarten
>  >  Cc: kerberos at mit.edu
>  >  Subject: Re: GSSAPI / Kerberos ticket authentication issues
>  >
>  >  On Mon, 2009-11-16 at 09:01 -0500, Broekman, Maarten wrote:
>  >  > 		$ ftp -n -i hostname	--> Works properly
>  >  > 		$ ftp -n -i hostname-alt	--> Doesn't
work.
>  >
>  >  I believe this is a consequence of how ftpd uses GSSAPI.  It's
using
>  >  gss_acquire_cred to get credentials for ftp at localhostname and
>  >  host at localhostname, instead of just passing the default to
>  >  gss_accept_sec_context, which would make it work for any key in
the
>  >  keytab.
>  >
>  >  I don't see any good opportunities for workarounds without
patching
>  and
>  >  recompiling gssftpd.  The local hostname is determined by calling
>  >  gethostbyname() on the result of gethostname(), so you can
typically
>  >  influence which hostname is picked by fiddling with /etc/hosts,
but
>  you
>  >  can't make it try multiple hostnames.
>  >
>  >  I'll bring this up on the dev list and see about getting it fixed
for
>  a
>  >  future release.  If you do want to patch and rebuild to work
around
>  >  this, I can probably come up with a provisional patch for you in
short
>  >  order.
>  >
>  
>  
>  
>  ________________________________________________
>  Kerberos mailing list           Kerberos at mit.edu
>  https://mailman.mit.edu/mailman/listinfo/kerberos

More information about the Kerberos mailing list