Why do "strict acceptor checking"?
Ken Hornstein
kenh at cmf.nrl.navy.mil
Mon Oct 7 20:23:28 EDT 2024
Twice this week I have helped other sites deal with issues related to
"strict acceptor checking" (the programs in question were sshd and
sudo). Both of these programs explicitly have code that constructs a
service name based on the value of gethostname() and thus will only
accept a service ticket for that name regardless of what's actually
in the keytab, and this fails in a number of complicated multihomed
networking situations (sudo does this for the service principal passed
to krb5_verify_init_creds()). At least in the case of sshd there is an
explicit knob to turn this off.
However, this has made me wonder: why do this at all? What is the
possible security gain here? It's not the default in the code; you have
to explicitly write code to enable this behavior. But I can't really
think of a case where NOT having strict acceptor checking is a security
problem; I could maybe squint and envision some kind of weird hosted
server setup where it might matter, but I'm not sure that is ever done
in the real world. I will admit it is entirely possible I am missing
something; if I am, I'd sure like to understand what I am missing.
--Ken
More information about the Kerberos
mailing list