Problem with krb524d/aklog and shared hostname keytabs...

Neulinger, Nathan nneul at umr.edu
Tue Mar 11 12:51:11 EST 2003 

Well, that fixed the aklog problem with telnet. However, it looks like
ssh w/ gssapi support doesn't work at all to the multiple-address
hostname. It gets a gss_accept_context died error. 

Connecting to gpunix.umr.edu, hosts have addresses gpunix1.cc.umr.edu
and gpunix2.cc.umr.edu, and have keytabs containing all three princs. 

Suggestions?

-- Nathan

------------------------------------------------------------
Nathan Neulinger                       EMail:  nneul at umr.edu
University of Missouri - Rolla         Phone: (573) 341-4841
Computing Services                       Fax: (573) 341-4216


> -----Original Message-----
> From: Neulinger, Nathan 
> Sent: Monday, March 10, 2003 3:22 PM
> To: Sam Hartman
> Cc: krbdev
> Subject: RE: Problem with krb524d/aklog and shared hostname keytabs...
> 
> 
> Would security of the following be roughtly equivalent to addressless
> tickets?
> 
> Removing this code in krb524/cnv_tkt_skey.c:
> 
>      if (!krb5_address_search(context, &kaddr, v5etkt->caddrs)) {
>          if (krb524_debug)
>              fprintf(stderr, "Invalid v5creds address 
> information.\n");
>          krb5_free_enc_tkt_part(context, v5etkt);
>          v5tkt->enc_part2 = NULL;
>          return KRB524_BADADDR;
>      }
> 
> Cause that appears to solve (or at least hide) this issue...
> 
> -- Nathan
> 
> ------------------------------------------------------------
> Nathan Neulinger                       EMail:  nneul at umr.edu
> University of Missouri - Rolla         Phone: (573) 341-4841
> Computing Services                       Fax: (573) 341-4216
> 
> 
> > -----Original Message-----
> > From: Sam Hartman [mailto:hartmans at mit.edu] 
> > Sent: Monday, March 10, 2003 2:02 PM
> > To: Neulinger, Nathan
> > Cc: krbdev
> > Subject: Re: Problem with krb524d/aklog and shared hostname 
> keytabs...
> > 
> > 
> > I don't think we claim to support r even think about any issues
> > involving krb4 and addresses that do not exactly match.
> > 
> > If it doesn't work with krb524d mod to just throw the v5 ticket part
> > into an AFS token, we probably care.
> > 
> > 
> > --Sam
> > 
> > 
> 
> _______________________________________________
> krbdev mailing list             krbdev at mit.edu
> https://mailman.mit.edu/mailman/listinfo/krbdev
>

More information about the krbdev mailing list