[33148] in Kerberos
Re: acceptor
daemon@ATHENA.MIT.EDU (Brian Candler)
Wed Jan 26 15:14:50 2011
Date: Wed, 26 Jan 2011 20:14:39 +0000
From: Brian Candler <B.Candler@pobox.com>
To: Victor Sudakov <vas@mpeks.no-spam-here.tomsk.su>
Message-ID: <20110126201439.GC4099@talktalkplc.com>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <iho77m$1etd$1@relay.tomsk.ru>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Wed, Jan 26, 2011 at 04:16:54AM +0000, Victor Sudakov wrote:
> Is there a generic way for a kerberized server to configure which
> acceptor principal it will use from the keytab? Why is it so that e.g.
> sshd uses a "host/foo" principal while svnserve uses a "svn/foo" principal?
> Is it configured somewhere or hardcoded in the source? What if I
> wanted sshd to use a "ssh/foo" principal?
AFAIK, it's a parameter to gss_acquire_cred(). You might find this patch
from Russ Allbery a starting point:
http://bugzilla.cyrusimap.org/show_bug.cgi?id=3380
(which passes NO_NAME, which means that any key in the keytab which is
capable of decrypting the ticket is acceptable)
Looking at openssh source[*], check out ssh_gssapi_acquire_cred (gss-serv.c)
which calls ssh_gssapi_import_name (gss-genr.c). It looks like it's
hardcoded to "host@<hostname>" which in turn is translated into
host/<hostname> by GSSAPI.
However, you can also see that if you turn off options.gss_strict_acceptor
then it also passes NO_NAME, and hence uses any suitable keytab entry.
Regards,
Brian.
[*] I'm looking at the source from "apt-get source openssh-server" in Ubuntu
10.10, which is openssh-5.5p1 with a lot of Debian-applied patches
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
