[19187] in Kerberos
Re: gssapi/openssh
daemon@ATHENA.MIT.EDU (Sam Hartman)
Sat May 3 20:12:27 2003
To: greg@enjellic.com
From: Sam Hartman <hartmans@MIT.EDU>
Date: Sat, 03 May 2003 20:11:35 -0400
In-Reply-To: <200305021439.h42EdA27004855@wind.enjellic.com> (Greg
Wettstein's message of "Fri, 2 May 2003 09:39:10 -0500")
Message-ID: <tslptmzbmfc.fsf@konishi-polis.mit.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
cc: kerberos@mit.edu
cc: Simon Wilkinson <sxw@warspite.inf.ed.ac.uk>
Errors-To: kerberos-bounces@mit.edu
>>>>> "Greg" == Greg Wettstein <greg@wind.enjellic.com> writes:
Greg> On Apr 30, 6:25pm, Simon Wilkinson wrote: } Subject: Re:
Greg> gssapi/openssh
Greg> Good morning to everyone.
>> On Wed, 30 Apr 2003, peter duff wrote: > I have patched openssh
>> 3.4p1 with simon's gssapi patch, (great job by the > way).
>>
>> There'll be a patch for openssh 3.6.1p2 available in the next
>> few days. This brings the patch up to compliance with the
>> latest version of the draft, as well as fixing some encoding
>> issues.
Greg> I will second the 'great job' on the GSSAPI patch for SSH.
Greg> Its been a must have for our sites since it first became
Greg> available.
Greg> Any reflections Simon on dealing with the multi-homed host
Greg> issue?
I would appreciate it if the GSSAPI patch could gain an option to pass
in GSS_C_NO_CREDENTIAL into gss_accept_sec_context or GSS_C_NO_NAME
into the server side call for gss_acquire_credentials.
This combined with the 1.3 code should solve the multi-homed hosts
problem nicely. The 1.3 code will accept any principals in the keytab
in the GSS_C_NO_NAME case. Note that if you use this option, you as
an administrator must take care to make sure only principals trusted
for host authentication are allowed in /etc/krb5.keytab.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
