[32363] in Kerberos
Re: bug: krb5_get_host_realm() no longer uses DNS
daemon@ATHENA.MIT.EDU (Simon Wilkinson)
Mon May 17 18:00:55 2010
Mime-Version: 1.0 (Apple Message framework v1078)
From: Simon Wilkinson <simon@sxw.org.uk>
In-Reply-To: <20100517210721.GF9429@oracle.com>
Date: Mon, 17 May 2010 23:00:36 +0100
Message-Id: <463B58EF-E216-4EE0-8E3C-C6AC23C31370@sxw.org.uk>
To: Nicolas Williams <Nicolas.Williams@oracle.com>
Cc: Richard Silverman <res@qoxp.net>, "kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On 17 May 2010, at 22:07, Nicolas Williams wrote:
> You can always use GSS_C_NO_CREDENTIAL and then inquire the established
> security context's acceptor principal name to see that it matches what
> you expected.
When I added StrictAcceptorCheck support to my OpenSSH patches (and to rot in their bugzilla) I thought about doing this. But I never managed to find a mechanism and GSSAPI implementation independent way of getting a name out of the GSSAPI in a format that I could check against the expected name (host@<something>). If that now exists, I'd be happy to revisit this.
Bear in mind that the OpenSSH GSSAPI code is designed to work with mechanisms other than Kerberos, and with implementations other than MIT. Changes that require mechanism or implementation specific hacks are not desirable.
S.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
