GSSAPI / Kerberos ticket authentication issues
Greg Hudson
ghudson at MIT.EDU
Mon Nov 16 17:40:31 EST 2009
On Mon, 2009-11-16 at 16:53 -0500, Broekman, Maarten wrote:
> Greg,
> One thing I realized is that I forgot to mention is that I also
> tried using the scan_interfaces and extra_addresses tags in my krb5.conf
> but that didn't help. From the manpage for the krb5.conf these looked
> like they might have addressed the issue.
Those settings don't pertain to this code.
> Also ssh suffers from the
> same problem as gssftp so I'm guessing this is a more general issue and
> not specific to gssftp.
Stock OpenSSH sshd has the same coding issue as ftpd, yes. If your sshd
had the gss-keyex patch, you could control this behavior with the
GSSAPIStrictAcceptorCheck config variable, but unfortunately Red Hat is
not one of the OS vendors who incorporate the gss-keyex patch.
More information about the Kerberos
mailing list