bug: krb5_get_host_realm() no longer uses DNS
Simon Wilkinson
simon at sxw.org.uk
Mon May 17 18:00:36 EDT 2010
On 17 May 2010, at 22:07, Nicolas Williams wrote:
> You can always use GSS_C_NO_CREDENTIAL and then inquire the established
> security context's acceptor principal name to see that it matches what
> you expected.
When I added StrictAcceptorCheck support to my OpenSSH patches (and to rot in their bugzilla) I thought about doing this. But I never managed to find a mechanism and GSSAPI implementation independent way of getting a name out of the GSSAPI in a format that I could check against the expected name (host@<something>). If that now exists, I'd be happy to revisit this.
Bear in mind that the OpenSSH GSSAPI code is designed to work with mechanisms other than Kerberos, and with implementations other than MIT. Changes that require mechanism or implementation specific hacks are not desirable.
S.
More information about the Kerberos
mailing list