GSSAPI / Kerberos ticket authentication issues
Broekman, Maarten
Maarten.Broekman at fmr.com
Mon Nov 16 16:53:03 EST 2009
Greg,
One thing I realized is that I forgot to mention is that I also
tried using the scan_interfaces and extra_addresses tags in my krb5.conf
but that didn't help. From the manpage for the krb5.conf these looked
like they might have addressed the issue. Also ssh suffers from the
same problem as gssftp so I'm guessing this is a more general issue and
not specific to gssftp.
Maarten Broekman
Fidelity | Investment Management Technology
TSO Server Architecture and Engineering
Office: (617) 563-9756
Cell: (617) 590-8005
Email: maarten.broekman at fmr.com
> -----Original Message-----
> From: kerberos-bounces at MIT.EDU [mailto:kerberos-bounces at MIT.EDU] On
> Behalf Of Broekman, Maarten
> Sent: Monday, November 16, 2009 4:40 PM
> To: Greg Hudson
> Cc: kerberos at MIT.EDU
> Subject: RE: GSSAPI / Kerberos ticket authentication issues
>
> Thanks Greg. Getting it addressed in a future version would be
great.
> Unfortunately, I don't think I'll be able to patch and rebuild.
>
> Maarten Broekman
>
> > -----Original Message-----
> > From: Greg Hudson [mailto:ghudson at MIT.EDU]
> > Sent: Monday, November 16, 2009 4:35 PM
> > To: Broekman, Maarten
> > Cc: kerberos at mit.edu
> > Subject: Re: GSSAPI / Kerberos ticket authentication issues
> >
> > On Mon, 2009-11-16 at 09:01 -0500, Broekman, Maarten wrote:
> > > $ ftp -n -i hostname --> Works properly
> > > $ ftp -n -i hostname-alt --> Doesn't
work.
> >
> > I believe this is a consequence of how ftpd uses GSSAPI. It's
using
> > gss_acquire_cred to get credentials for ftp at localhostname and
> > host at localhostname, instead of just passing the default to
> > gss_accept_sec_context, which would make it work for any key in
the
> > keytab.
> >
> > I don't see any good opportunities for workarounds without
patching
> and
> > recompiling gssftpd. The local hostname is determined by calling
> > gethostbyname() on the result of gethostname(), so you can
typically
> > influence which hostname is picked by fiddling with /etc/hosts,
but
> you
> > can't make it try multiple hostnames.
> >
> > I'll bring this up on the dev list and see about getting it fixed
for
> a
> > future release. If you do want to patch and rebuild to work
around
> > this, I can probably come up with a provisional patch for you in
short
> > order.
> >
>
>
>
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
More information about the Kerberos
mailing list