[20101] in Athena Bugs
Re: SSH patch to deal with krb5 to non-reverse-resolving hosts
daemon@ATHENA.MIT.EDU (Derek Atkins)
Sat Jan 12 19:38:13 2002
To: Garry Zacheiss <zacheiss@MIT.EDU>
Cc: Greg Hudson <ghudson@MIT.EDU>, bugs@MIT.EDU
From: Derek Atkins <warlord@MIT.EDU>
Date: 12 Jan 2002 19:38:08 -0500
In-Reply-To: <200201102155.QAA17212@brad-majors.mit.edu>
Message-ID: <sjmsn9b9jbj.fsf@indiana.mit.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
I had a few free minutes so I took a look at /mit/source/third/openssh
and the same problem does exist there. In particular in
sshconnect1.c there is this code:
remotehost = get_canonical_hostname(1);
problem = krb5_mk_req(*context, auth_context, AP_OPTS_MUTUAL_REQUIRED,
"host", remotehost, NULL, ccache, &ap);
if (problem) {
debug("Kerberos v5: krb5_mk_req failed: %s",
krb5_get_err_text(*context, problem));
ret = 0;
goto out;
}
remotehost is always going to be the PTR of the server's ip address
(or the string of the address if no PTR exists). So a similar
approach to my patch is certainly warranted here. The only question I
have (without reading more code) is whether krb5_mk_req is going to
try to canonicalize names itself. If so, then there is still a
problem in the case where the PTR does exist but "isn't valid".
-derek
Garry Zacheiss <zacheiss@MIT.EDU> writes:
> Without commenting on the correctness of the patch, I'll point
> out that you patched code we won't be running in about 6 months. I
> think you'll be better of patching OpenSSH (third/openssh in the Athena
> source tree) if it also exhibits the behavior you're trying to correct,
> since that's what we'll be running in the next release.
>
> Garry
>
--
Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
Member, MIT Student Information Processing Board (SIPB)
URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH
warlord@MIT.EDU PGP key available
