GSS_C_NO_NAME for desired_name?

Greg Hudson ghudson at MIT.EDU
Sat Jan 1 13:42:22 EST 2011

On Sat, 2011-01-01 at 11:48 -0500, Brian Candler wrote:
> That is: if someone broken into httpd, and it was using a shared keytab
> which also contained the sshd key, then they'd be able to go fetch (and
> abuse) the sshd key.  And on the flip side, a user who has a legitimate
> ticket for HTTP/foo would also be able to get a legitimate ticket for
> host/foo, so there's no additional problem if sshd happens also to accept
> the HTTP/foo ticket.

The problem comes when you have a host keytab containing host and HTTP
keys (maybe as an artifact of how the site deploys keys to hosts), and a
httpd keytab containing only the HTTP key.  With "strict acceptor check"
behavior in sshd, this configuration doesn't allow httpd access to sshd.
Without strict acceptor checks, it might.

More information about the Kerberos mailing list