acceptor

Brian Candler B.Candler at pobox.com
Wed Jan 26 15:14:39 EST 2011


On Wed, Jan 26, 2011 at 04:16:54AM +0000, Victor Sudakov wrote:
> Is there a generic way for a kerberized server to configure which
> acceptor principal it will use from the keytab? Why is it so that e.g. 
> sshd uses a "host/foo" principal while svnserve uses a "svn/foo" principal?
> Is it configured somewhere or hardcoded in the source? What if I
> wanted sshd to use a "ssh/foo" principal?

AFAIK, it's a parameter to gss_acquire_cred(). You might find this patch
from Russ Allbery a starting point:

http://bugzilla.cyrusimap.org/show_bug.cgi?id=3380

(which passes NO_NAME, which means that any key in the keytab which is
capable of decrypting the ticket is acceptable)

Looking at openssh source[*], check out ssh_gssapi_acquire_cred (gss-serv.c)
which calls ssh_gssapi_import_name (gss-genr.c).  It looks like it's
hardcoded to "host@<hostname>" which in turn is translated into
host/<hostname> by GSSAPI.

However, you can also see that if you turn off options.gss_strict_acceptor
then it also passes NO_NAME, and hence uses any suitable keytab entry.

Regards,

Brian.

[*] I'm looking at the source from "apt-get source openssh-server" in Ubuntu
10.10, which is openssh-5.5p1 with a lot of Debian-applied patches



More information about the Kerberos mailing list